TL;DR: I was able to execute commands in a Halo Microsoft server though Dependency Confusion attack but MSRC is saying it’s not their problem.

I was searching for bugs on https://github.com/symphonyoss/SymphonyElectron when I found this file https://github.com/symphonyoss/SymphonyElectron/blob/main/package.json where there is a optionalDependencies for the npm package called “swift-search”.
This npm package was available to be published on https://www.npmjs.com so I published a package under multiple versions with a nice preinstall so if someone install the package I’d would know. This attack is called as Dependency Confusion and if you want more details how it works please check this blog post https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610.
After some hours I got interactions in my Burp Collaborator instance. The DNS queries were coming from 13.66.137.90 which is a Microsoft DNS server and after that a POST request from 51.141.173.203 which is also an IP address from Microsoft (UK).

inetnum: 51.140.0.0–51.145.255.255
org: ORG-MA42-RIPE
netname: MICROSOFT
descr: Microsoft Limited UK
country: GB

By accessing https://51.141.173.203 I noticed the certificate CN field was pointing to “*.test.svc.halowaypoint.com” which confirms this is a Microsoft service. One of the commands that I executed through the preinstall script was “env”. Below you can see some lines of the env output that I was able to extract from the server.

DEPLOYMENT_BASEPATH=/opt/runner
USER=runner
npm_config_user_agent=npm/6.14.12 node/v12.22.1 linux x64 ci/github-actions
GITHUB_ENV=/home/runner/work/_temp/_runner_file_commands/set_env_73c3242d-3ebe-4fef-b35e-4c01f044ff0b
PIPX_HOME=/opt/pipx
GRAALVM_11_ROOT=/usr/local/graalvm/graalvm-ce-java11–21.0.0.2
AZURE_EXTENSION_DIR=/opt/az/azcliextensions
npm_package_description=swift-search
ImageVersion=20210412.1
SWIFT_PATH=/usr/share/swift/usr/bin
GITHUB_RUN_ID=773121366
GOROOT_1_16_X64=/opt/hostedtoolcache/go/1.16.3/x64
ANT_HOME=/usr/share/ant
RUNNER_TRACKING_ID=github_ade7a12e-905e-4b34-b09e-b3ddda770183
HOMEBREW_CELLAR=”/home/linuxbrew/.linuxbrew/Cellar”
npm_package_name=swift-search

So I had the terrible idea to report this vulnerability to MSRC (https://msrc.microsoft.com). Since I kind of found the issue by accident I didn’t think that I’d receive the response below from MSRC.

We completed our assessment and determined that this issue needs to be reported to the maintainer of SymphonyElectron directly.
Thanks for sharing this with us. No further action will be taken from MSRC and I will proceed with closing the case.

What? 😕 It wasn’t the first time that MSRC didn’t get the problem and I don’t think it’ll be the last. To my surprise after one hour I received another email from MSRC as you can see in the screenshot below.

What a minute! First MSRC said this is not a problem to them but they want to reproduce the issue. 🤣
I was planning to forget this report but I tried to explaining them what happened. I’ve wrote a detailed email (like a training session) explaining why this is a critical vulnerability and close my email with the following sentences.

So I’ll be waiting until the end of tomorrow for your confirmation regarding what I wrote above. If you guys do not respond or disagree with my statements that’s fine which means this is not an issue for you guys so I’ll publish on Medium everything that we discussed here.

In the next days I received the email below from MSRC.

I’m not going to reveal the name but this was the first time that I received an email from MSRC with a name on it.
After two days I’ve reply back ask for updates and I was ignored. After another two days I tried to contacted again with the email below.

Since I didn’t get any response from my email below and you neither provided any ETA for any position for my report I’ll provide to you a deadline.
If you do not reply back until Jun 23 with a resolution for this case I’ll assume you agree to publish a blog post with all content of this report.

Since I didn’t get any reply from them I’m publishing this post.

If you want to contact me you can send an email to ricardo.iramar@gmail.com or a twitter to @ricardo_iramar.