Critical vulnerabilities in the CocoaPods dependency manager could have allowed threat actors to take over thousands of orphaned packages, execute shell commands, and take over accounts, potentially impacting millions of iOS and macOS applications, red teaming firm EVA Information Security reports.
CocoaPods, an open source dependency manager for Swift and Objective-C Cocoa projects, has more than 100,000 libraries, and is used by over three million applications across the Apple ecosystem.
In 2014, CocoaPods migrated to a Trunk server acting as a centralized repository and distribution platform, a process that left thousands of orphaned packages, as authorship was reset for all pods and for many the previous owner was not known.
While Podspec authors were asked to claim ownership of pods and retain control over them, 1,866 packages, including many that are widely used in other libraries, remain orphaned.
What EVA discovered was that all pods that had never been claimed were automatically associated with a default owner using the same email address, and that the public API for claiming ownership was still available, essentially allowing anyone to claim the pods as their own.
An attacker could exploit the vulnerability - tracked as CVE-2024-38368 - to take over known orphaned pods and modify their contents or replace it with malicious code.
The second vulnerability, tracked as CVE-2024-38366, is a remote code execution bug in the authentication server for CocoaPods, which executes a shell command to validate the email domain when a developer registers as a pod owner.
According to EVA, vulnerable methods used by the RFC822 during the email verification process allow the attacker to inject a bash command that will be executed on the Trunk server.
An attacker could exploit this insecure email verification workflow to manipulate or replace packages being downloaded.
The third vulnerability, tracked as CVE-2024-38367, is also related to the authentication process, allowing an attacker to hijack a pod owner's session and take over the CocoaPods trunk account.
EVA noticed that an attacker could spoof the X-Forwarded-Host header used for identification and that the server would use the spoofed header to construct the URL sent via email.
The URL could lead users to third-party websites that could steal their session cookies.
By having the session validation link sent automatically to their server, the attacker could then escalate this to a zero-click attack.
CocoaPods addressed these vulnerabilities server-side in September and October 2023 and exploitation is no longer possible.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 02 Jul 2024 13:43:05 +0000