TL;DR: I was able to execute commands in a Halo Microsoft server though Dependency Confusion attack but MSRC is saying it’s not their problem.
I was searching for bugs on https://github.com/symphonyoss/SymphonyElectron when I found this file https://github.com/symphonyoss/SymphonyElectron/blob/main/package.json where there is a optionalDependencies for the npm package called “swift-search”.
This npm package was available to be published on https://www.npmjs.com so I published a package under multiple versions with a nice preinstall so if someone install the package I’d would know. This attack is called as Dependency Confusion and if you want more details how it works please check this blog post https://email@example.com/dependency-confusion-4a5d60fec610.
After some hours I got interactions in my Burp Collaborator instance. The DNS queries were coming from 18.104.22.168 which is a Microsoft DNS server and after that a POST request from 22.214.171.124 which is also an IP address from Microsoft (UK).
descr: Microsoft Limited UK
By accessing https://126.96.36.199 I noticed the certificate CN field was pointing to “*.test.svc.halowaypoint.com” which confirms this is a Microsoft service. One of the commands that I executed through the preinstall script was “env”. Below you can see some lines of the env output that I was able to extract from the server.
npm_config_user_agent=npm/6.14.12 node/v12.22.1 linux x64 ci/github-actions
So I had the terrible idea to report this vulnerability to MSRC (https://msrc.microsoft.com). Since I kind of found the issue by accident I didn’t think that I’d receive the response below from MSRC.
We completed our assessment and determined that this issue needs to be reported to the maintainer of SymphonyElectron directly.
Thanks for sharing this with us. No further action will be taken from MSRC and I will proceed with closing the case.
What? 😕 It wasn’t the first time that MSRC didn’t get the problem and I don’t think it’ll be the last. To my surprise after one hour I received another email from MSRC as you can see in the screenshot below.
What a minute! First MSRC said this is not a problem to them but they want to reproduce the issue. 🤣
I was planning to forget this report but I tried to explaining them what happened. I’ve wrote a detailed email (like a training session) explaining why this is a critical vulnerability and close my email with the following sentences.
So I’ll be waiting until the end of tomorrow for your confirmation regarding what I wrote above. If you guys do not respond or disagree with my statements that’s fine which means this is not an issue for you guys so I’ll publish on Medium everything that we discussed here.
In the next days I received the email below from MSRC.
I’m not going to reveal the name but this was the first time that I received an email from MSRC with a name on it.
After two days I’ve reply back ask for updates and I was ignored. After another two days I tried to contacted again with the email below.
Since I didn’t get any response from my email below and you neither provided any ETA for any position for my report I’ll provide to you a deadline.
If you do not reply back until Jun 23 with a resolution for this case I’ll assume you agree to publish a blog post with all content of this report.
Since I didn’t get any reply from them I’m publishing this post.