Skip to content

Pipenv's requirements.txt parsing allows malicious index url in comments

High severity GitHub Reviewed Published Jan 8, 2022 in pypa/pipenv • Updated Oct 11, 2024

Package

pip pipenv (pip)

Affected versions

>= 2018.10.9, < 2022.1.8

Patched versions

2022.1.8

Description

Issue Summary

Due to a flaw in pipenv's parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with "pipenv install -r requirements.txt") to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems.

Impact

The impact of successful exploitation is severe/critical.

If an attacker is able to hide a malicious --index-url option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). Exploitation using this technique would be relatively simple to achieve for an attacker with basic knowledge of Python, as the attacker can simply build a source distribution for any of the packages specified in the requirements file, and embed arbitrary malicious code in the setup.py file. When pip installs from a source distribution, any code in the setup.py is executed by the install process.

Basic attacks might use the initial RCE triggered when a victim installs the attacker's malicious package to steal credentials from the victim's host, leach the host's resources to mine cryptocurrency, or install exploit kits or other malware. More sophisticated attackers may use more advanced techniques to persist access to the victim's host, hide or remove evidence of their attack by deleting references to the malicious index server in the Pipfile and Pipfile.lock generated by pipenv or other potential indicators of compromise. Highly sophisticated attackers could attempt to pivot to additional targets from the initial compromised host, and might leverage any exposed credentials in the compromised host environment or implicit authorization granted to the host to gain privileged access to other systems or resources, such as source repositories or package registries.

Likelihood

The overall likelihood of exploitation is low to moderate depending on a range of factors.

The primary hurdle to successful exploitation of this vulnerability depends on an attacker's ability to surreptitiously insert a specially crafted string into a requirements.txt file which will be installed by a victim (or victims). Unfortunately, because the attacker can insert this string into a comment, the attacker's ability to evade suspicion is greatly increased, and they may even be able to hide the initial payload in plain sight if a victim assumes that comments will be ignored by pipenv as expected.

In many common usage contexts — for example in environments where a requirements file is used to lock or "freeze" dependency versions for reproducible builds — requirements files can often become quite large, particularly when leveraging pip's integrity checking, which requires every dependency specified in the requirements file to includes hashes for all of its distribution files. In such cases, a malicious actor might mask an exploitation attempt by opening a pull request ostensibly to update or "bump" the project's dependencies to their latest versions, but surreptitiously insert a malicious —index-url option amidst the many other changes associated with updating the dependencies in a lock file. As these dependency updates often result in hundreds or even thousands of changes spread across the requirements file and are not easy to review manually, such an attack could be difficult to identify or prevent without tools or other mitigating controls.

Moreover, because the argparse module is used to parse the --index-url, --extra-index-url, and --trusted-host options, an attacker's ability to obfuscate their payload and hide their malicious intent is even more greatly enhanced, as the attacker may use abbreviated option names, which are supported by default with argparse. For example, an attacker can insert the string, "--t pypi.org" into a comment anywhere in the requirements file, which will automatically be expanded to "--trusted-host pypi.org" during processing by pipenv. This "--trusted-host pypi.org" option will disable SSL/TLS validation when pipenv attempts to connect to the default/official package index server (https://pypi.org/simple), and could allow a malicious index server to pose as the pipi.org index server in a man-in-the-middle attack.

Setting up the malicious index server to serve compromised package versions is relatively simple, even for a non-sophisticated attacker. As pip uses a simple directory format for serving packages, the malicious packages simply need to be placed in the correct folder structure and served using an HTTP server with autoindex enabled (e.g. python3 -m http.server).

Packaging up the exploit code into the malicious package versions would also be trivial for an attacker with basic knowledge of Python development, as the attacker can simply clone the source code for any of the packages specified in the requirements file, embed their malicious exploit code in the cloned package's setup.py file, and then build a source distribution of the package. When pip installs a package from a source distribution, any code in the setup.py is executed by the install process.

Additional Context & Details

According to the requirements file format specification (https://pip.pypa.io/en/stable/reference/requirements-file-format/#comments), any lines which begin with a "#" character, and/or any text in a line following a whitespace and a "#" character, should be interpreted as a comment which will be removed/ignored during processing of the requirements file.

However, due to a flaw in pipenv's parsing of requirements files, an attacker can insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file (e.g. with "pipenv install -r requirements.txt") to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker is then able to gain arbitrary remote code execution on the victims' systems.

The vulnerable requirements file parsing code is in the parse_indexes(str: line) function of the pipenv.utils module:

https://github.com/pypa/pipenv/blob/cdde3f7bcee6bacba89538f73aba9401337be10c/pipenv/utils.py#L2061-L2078

This function is called iteratively on each line of a requirements file, and uses the argparse module to find and process --index-url, --extra-index-url, and --trusted-host options (and variations thereof). However, it does not ignore these options when they appear in comments, or validate that these options appear on their own lines as required by the requirements file specification (see: https://pip.pypa.io/en/stable/reference/requirements-file-format/#global-options). The options can also be abbreviated due to default behavior provided by the argparse.ArgumentParser object used to parse these options in the requirements file, so that --trusted-host and --t will be treated as equivalent by pipenv, for example.

For more information

If you have any questions or comments about this advisory:

References

@frostming frostming published to pypa/pipenv Jan 8, 2022
Published by the National Vulnerability Database Jan 10, 2022
Reviewed Jan 10, 2022
Published to the GitHub Advisory Database Jan 12, 2022
Last updated Oct 11, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required Low
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High

CVSS v4 base metrics

Exploitability Metrics
Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.
Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.
Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.
Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
Vulnerable System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
Subsequent System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS score

0.273%
(68th percentile)

Weaknesses

CVE ID

CVE-2022-21668

GHSA ID

GHSA-qc9x-gjcv-465w

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.