GCP - Artifact Registry Persistence
Artifact Registry
For more information about Artifact Registry check:
pageGCP - Artifact Registry EnumDependency Confusion
What happens if a remote and a standard repositories are mixed in a virtual one and a package exists in both?
The one with the highest priority set in the virtual repository is used
If the priority is the same:
If the version is the same, the policy name alphabetically first in the virtual repository is used
If not, the highest version is used
Therefore, it's possible to abuse a highest version (dependency confusion) in a public package registry if the remote repository has a higher or same priority
This technique can be useful for persistence and unauthenticated access as to abuse it it just require to know a library name stored in Artifact Registry and create that same library in the public repository (PyPi for python for example) with a higher version.
For persistence these are the steps you need to follow:
Requirements: A virtual repository must exist and be used, an internal package with a name that doesn't exist in the public repository must be used.
Create a remote repository if it doesn't exist
Add the remote repository to the virtual repository
Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository. Run something like:
Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!
For more information about dependency confusion check:
Last updated
