Dangers of using Opensource tools without Verifying the code ⚠️
Most of the people from IT sector will come across many open source tools and scripts in their life. Starting from Technical peoples from InfoSec, Developers, DevOps to System admins and other teams use these open source tools in their day today life to make things easier. Many good hearted peoples are contributing the open source community by writing awesome scripts and tools for different purposes. Among those, most of the tools will be related to automation. For the sake of saving the time these scripts are created and published.
But when there is a good thing, also there will be a bad thing. Open source tool is not an exception in that list. What happens if a cyber criminal creates a automation tool with exploit or reverse shell and publish it to the internet like a legit one. What happens if a employee of a company install it and run it inside the company premises? Scary right? In this blog I’m going to explain you people about the dangerous of using an open source tool without understanding the code or the concept. This demo will show you the consequences of running an opensource tool without having a better understanding about it.
For this demo I took a sample code and crafted it according to the use case. Since I’m from InfoSec team I used this tool for demo. The scenario is the tool is a directory brute-forcing tool which gets domain name and wordlist path as input and brute-force the given domain and produce the result. Since explaining the code line by line is not a necessary one here I'm moving directly to the attack explanation.
The code looks very normal one but on line number 16 and 17, I have added a Linux command for execution(one liner reverse shell). So here first the code will check whether it is running as root user or not and then it will proceed further. Once the user gives the domain name and wordlist path in the terminal, the code will work as a normal one. It will start scanning the given target for the respective directory and list out the URL. But here I used screen command to execute the reverse shell in another session which a user wont know about it.
This session will be running in the backend and the user who run the tool wont have any trace of getting attacked. After the execution the attacker will get a root session since the tool is running as root.
Demo Video 🎥:
Here I have done the entire demo in my local network. But this attack can be performed through WAN also. By exploiting further an attacker can even get a proper persistence session.
Takeaway: So from now on before running a tool on your machine or inside your company network just have a look at the code. Try to read the code line by line to get a basic understanding about. what it is going to do and will that create any issue to you? or not. After confirming that you can start using the tools and scripts.
⚠️ This blog is for Educational purpose only. Don't misuse or exploit other users on the internet and put yourself in risk. Don’t take this as a reference for your bad activity 😂. I'm not responsible for such attacks.
Special thanks to all open source contributors in the IT sector for working hard to contribute the community with good scripts and tools💖. Thanks you for reading my blog. Will catch you Later…!
