CVE-2022-41386 The d8s-utility package had a backdoor, the democritus-urls package.

It is recommended to update right away to version 0.2.0 or higher. In addition to the new version, it is recommended to also apply the recommended security updates in your operating system. If you are on a version below 0.2.0, you should upgrade right away. The democritus-urls package provides a set of matcher functions that allow you to compare two URLs. This functionality can be used for authentication, for example by checking if a URL goes to a secure service or not. Unfortunately, in some cases, the url matcher functions in democritus-urls can be used to inject malicious code into another application. This can be used, for example, to steal authentication credentials from another service or to install a backdoor. This is the case of the d8s-utility package distributed on PyPI.

Update democritus-urls immediately

We recommend updating to 0.2.0 or higher as soon as possible. The democritus-urls package is included in many other packages, and since the vulnerability is present in the d8s-utility package, updating that package will also mitigate the issue.

Double-encoded data in d8s-utility

The d8s-utility package contains a function called utf8_to_utf16 that allows you to convert UTF-8 strings into UTF-16 strings. This function can be used, for example, to generate a signature or to encrypt confidential data. Unfortunately, this function can also be used to inject malicious code into another application. In particular, the utf8_to_utf16() function can be used in combination with other functions in the same library to generate an exploit payload.

What is the d8s-utility package and how does it work?

The d8s-utility package provides an interface to the database of hashes (D8S) service. The D8S service provides a database where users can upload files that are hashed with a one-way hash function. The user pays a fee to receive their hashes back in a file and use them as authentication credentials.
It is possible to inject malicious code into this package by using the "d8s_matcher" function provided by democritus-urls. This can be used, for example, to steal authentication credentials from another service or to install a backdoor.

Security Advisory: d8s-utility package on PyPI

A security advisory has been issued for the d8s-utility package on PyPI. This package provides a number of functions that can be used for interactive input and output, such as interactive data editing and plotting via the numpy and matplotlib libraries. The functions in this package are intended to be used interactively, but it is possible to use them to inject malicious code into another application.

Timeline

Published on: 10/11/2022 22:15:00 UTC
Last modified on: 10/12/2022 19:05:00 UTC

References

• https://pypi.org/project/democritus-urls/
• https://pypi.org/project/d8s-utility/
• https://github.com/democritus-project/d8s-utility/issues/11
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41386