Dark Mode

Settings

Capec-692 Detail

Spoof Version Control System Commit Metadata

Detailed Social Engineering Supply Chain Software Likelihood: Medium Typical Severity: High

Parents: 691

Description

An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.

Extended Description

Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following: Owner of the repository Author(s) of commits Frequency of commits Date/Time of commits Repository activity graphs These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.
External ID Source Link Description
CAPEC-692 capec https://capec.mitre.org/data/definitions/692.html
CWE-494 cwe http://cwe.mitre.org/data/definitions/494.html
REF-719 reference_from_CAPEC https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/ Aviad Gershon, Unverified Commits: Are You Unknowingly Trusting Attackers’ Code?, 2022--07---15, Checkmarx
REF-720 reference_from_CAPEC https://www.hackread.com/hackers-spoof-commit-metadata-false-github-repositories/ Deeba Ahmed, Hackers can spoof commit metadata to create false GitHub repositories, 2022--07---17, HackRead
Explore

  1. Identify target: The adversary must first identify a target repository for them to spoof. Typically, this will be a popular and widely used repository, as to increase the amount of victims a successful attack will exploit.

Experiment

  1. Create malicious repository: The adversary must create a malicious repository that imitates the legitimate repository being spoofed. This may include creating a username that closely matches the legitimate repository owner; creating a repository name that closely matches the legitimate repository name; uploading the legitimate source code; and more.

  2. Spoof commit metadata: Once the malicious repository has been created, the adversary must then spoof the commit metadata to make the repository appear to be frequently maintained and originating from trusted sources.

    3. Techniques
    Git Commit Timestamps: The adversary generates numerous fake commits while setting the "GIT_AUTHOR_DATE" and "GIT_COMMITTER_DATE" environment variables to a date which is to be spoofed.
    Git Commit Contributors: The adversary obtains a legitimate and trusted user's email address and then sets this information via the "git config" command. The adversary can then commit changes leveraging this username.
Exploit

  1. Exploit victims: The adversary infiltrates software and/or system environments with the goal of conducting additional attacks.

    2. Techniques
    Active: The adversary attempts to trick victims into downloading the malicious software by means such as phishing and social engineering.
    Passive: The adversary waits for victims to download and leverage malicious software.
  1. Identification of a popular open-source repository whose metadata is to be spoofed.

Not present

Medium
Ability to spoof a variety of repository metadata to convince victims the source is trusted.
Integrity Authorization Access Control Accountability
Modify Data Execute Unauthorized Commands Execute Unauthorized Commands Hide Activities
Alter Execution Logic Alter Execution Logic
Gain Privileges Gain Privileges
  1. In July 2022, Checkmarx reported that GitHub commit metadata could be spoofed if unsigned commits were leveraged by the repository. Adversaries were able to spoof commit contributors, as well as the date/time of the commit. This resulted in commits appearing to originate from trusted developers and a GitHub activity graph that duped users into believing that the repository had been maintained for a significant period of time. The lack of commit metadata validation ultimately allowed adversaries to propagate malware to unsuspecting victims [REF-719] [REF-720].

We use cookies to ensure you get the best experience on our website.