The d8s-netstrings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.

**Project description**

**Democritus Netstrings**

      

Democritus functions\[1\] for working with Netstrings.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s as an abbreviation for democritus (you can read more about this here).

**Functions**

*   def string\_to\_netstring\_ascii(string: str, \*args):
        """Convert the given string to a netstring (and return it's ascii representation)."""
    
*   def string\_to\_netstring\_hex(string: str, \*args):
        """Convert the given string to a netstring (and return it's hex representation)."""
    
*   def netstring\_ascii\_to\_netstring\_hex(netstring\_ascii: str):
        """Convert a netstring (represented as ascii) to its hex representation."""
    
*   def netstring\_hex\_to\_netstring\_ascii(netstring\_hex: str):
        """Convert a netstring (represented as hex) to its ascii representation."""
    
*   def netstring\_ascii\_to\_string(netstring\_ascii: str):
        """Get the string portion of the given netstring (represented as ascii)."""
    
*   def netstring\_hex\_to\_string(netstring\_hex: str):
        """Get the string portion of the given netstring (represented as hex)."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-38885: d8s-netstrings

The d8s-python for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The democritus-strings package. The affected version is 0.1.0.

**Project description**

**Democritus Python**

      

Democritus functions\[1\] for working with Python data (code and ASTs).

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

We use d8s (pronounced "dee-eights") as an abbreviation for democritus (you can read more about this here).

**Installation**

    pip install d8s-python
    

**Usage**

You import the library like:

from d8s\_python import \*

Once imported, you can use any of the functions listed below.

**Functions**

*   def python\_functions\_signatures(
        code\_text: str,
        \*,
        ignore\_private\_functions: bool \= False,
        ignore\_nested\_functions: bool \= False,
        keep\_function\_name: bool \= False,
    ) \-> List\[str\]:
        """Return the function signatures for all of the functions in the given code\_text."""
    
*   def python\_todos(code\_text: str, todo\_regex: str \= 'TODO:.\*') \-> List\[str\]:
        """Return all todos in the given code\_text that match the given todo\_regex."""
    
*   def python\_make\_pythonic(name: str) \-> str:
        """Make the name pythonic.
    
    (e.g. 'fooBar' => 'foo\_bar', 'foo-bar' => 'foo\_bar', 'foo bar' => 'foo\_bar', 'Foo Bar' => 'foo\_bar')."""
    
*   def python\_namespace\_has\_argument(namespace: argparse.Namespace, argument\_name: str) \-> bool:
        """."""
    
*   def python\_traceback\_prettify(traceback: str) \-> str:
        """Return a string with the given traceback pretty-printed."""
    
*   def python\_traceback\_pretty\_print(traceback: str) \-> None:
        """Return a string with the given traceback pretty-printed."""
    
*   def python\_clean(code\_text: str) \-> str:
        """Clean python code as it is often found in documentation and snippets."""
    
*   def python\_function\_blocks(
        code\_text: str, \*, ignore\_private\_functions: bool \= False, ignore\_nested\_functions: bool \= False
    ) \-> List\[str\]:
        """Find the code (as a string) for every function in the given code\_text."""
    
*   def python\_line\_count(python\_code: str, \*, ignore\_empty\_lines: bool \= True) \-> int:
        """Return the number of lines in the given function\_text."""
    
*   def python\_function\_lengths(code\_text: str) \-> List\[int\]:
        """Find the lengths of each function in the given code\_text."""
    
*   def python\_version() \-> str:
        """Return the python version of the current environment."""
    
*   def python\_is\_version\_2() \-> bool:
        """Return whether or not the python version of the current environment is v2.x."""
    
*   def python\_is\_version\_3() \-> bool:
        """Return whether or not the python version of the current environment is v3.x."""
    
*   def python\_files\_using\_function(function\_name: str, search\_path: str) \-> List\[str\]:
        """Find where the given function is used in the given search path."""
    
*   def python\_keywords() \-> List\[str\]:
        """Get a list of the python keywords."""
    
*   def python\_object\_properties\_enumerate(
        python\_object: Any, \*, run\_methods: bool \= True, internal\_properties: bool \= True
    ) \-> None:
        """Enumerate and print out the properties of the given object."""
    
*   def python\_copy\_deep(python\_object: Any) \-> Any:
        """Return a deep (complete, recursive) copy of the given python object."""
    
*   def python\_copy\_shallow(python\_object: Any) \-> Any:
        """Return shallow copy of the given python object."""
    
*   def python\_file\_names(path: str, \*, exclude\_tests: bool \= False) \-> List\[str\]:
        """Find all python files in the given directory."""
    
*   def python\_fstrings(code\_text: str, \*, include\_braces: bool \= False) \-> Iterator\[str\]:
        """Find all of the python formatted string literals in the given text. See https://realpython.com/python-f-strings/ for more details about f-strings."""
    
*   def python\_code\_details(code\_text: str):
        """Get details about the given code\_text. This is a wrapper for \`dis.code\_info\`"""
    
*   def python\_disassemble(code\_text: str):
        """Disassemble the python code\_text. This is a wrapper for \`dis.dis\`"""
    
*   def python\_stack\_local\_data():
        """Get local data in the current python environment."""
    
*   def python\_object\_doc\_string(python\_object: Any) \-> Union\[str, None\]:
        """Get the doc string for the given python object (e.g. module, function, or class)."""
    
*   def python\_object\_source\_file(python\_object: Any) \-> str:
        """Get the source file for the given python object (e.g. module, function, or class)."""
    
*   def python\_object\_module(python\_object: Any) \-> str:
        """Get the module for the given python object (e.g. function or class)."""
    
*   def python\_object\_source\_code(python\_object: Any) \-> str:
        """Get the source code for the given python object (e.g. module, function, or class)."""
    
*   def python\_object\_signature(python\_object: Any) \-> str:
        """Get the argument signature for the given python object (e.g. module, function, or class)."""
    
*   def python\_sort\_type\_list\_by\_name(python\_type\_list: List\[type\], \*\*kwargs) \-> List\[type\]:
        """."""
    
*   def python\_type\_name(python\_type: type) \-> str:
        """Return the common name of the given type."""
    
*   def python\_object\_type\_to\_word(python\_object: Any) \-> str:
        """Convert the given python type to a string."""
    
*   def python\_ast\_raise\_name(node: ast.Raise) \-> Optional\[str\]:
        """Get the name of the exception raise by the given ast.Raise object."""
    
*   def python\_ast\_exception\_handler\_exceptions\_handled(handler: ast.ExceptHandler) \-> Optional\[Iterable\[str\]\]:
        """Return all of the exceptions handled by the given exception handler."""
    
*   def python\_ast\_exception\_handler\_exceptions\_raised(handler: ast.ExceptHandler) \-> Optional\[Iterable\[str\]\]:
        """Return the exception raised by the given exception handler."""
    
*   def python\_exceptions\_handled(code\_text: str) \-> Iterable\[str\]:
        """Return a list of all exceptions handled in the given code."""
    
*   def python\_exceptions\_raised(code\_text: str) \-> Iterable\[str\]:
        """Return a list of all exceptions raised in the given code."""
    
*   def python\_functions\_as\_import\_string(code\_text: str, module\_name: str) \-> str:
        """."""
    
*   def python\_ast\_object\_line\_number(ast\_object: object) \-> Optional\[int\]:
        """."""
    
*   def python\_ast\_object\_line\_numbers(ast\_object: object) \-> Tuple\[int, int\]:
        """."""
    
*   def python\_ast\_objects\_of\_type(
        code\_text\_or\_ast\_object: Union\[str, object\], ast\_type: type, \*, recursive\_search: bool \= True
    ) \-> Iterable\[object\]:
        """Return all of the ast objects of the given ast\_type in the code\_text\_or\_ast\_object."""
    
*   def python\_ast\_objects\_not\_of\_type(code\_text\_or\_ast\_object: Union\[str, object\], ast\_type: type) \-> Iterable\[object\]:
        """Return all of the ast objects which are not of the given ast\_type in the code\_text\_or\_ast\_object."""
    
*   def python\_ast\_parse(code\_text: str) \-> ast.Module:
        """."""
    
*   def python\_ast\_function\_defs(code\_text: str, recursive\_search: bool \= True) \-> Iterable\[ast.FunctionDef\]:
        """."""
    
*   def python\_function\_arguments(function\_text: str) \-> List\[ast.arg\]:
        """."""
    
*   def python\_function\_argument\_names(function\_text: str) \-> Iterable\[str\]:
        """."""
    
*   def python\_function\_argument\_defaults(function\_text: str) \-> List\[str\]:
        """."""
    
*   def python\_function\_argument\_annotations(function\_text: str) \-> List\[str\]:
        """."""
    
*   def python\_function\_names(
        code\_text: str, \*, ignore\_private\_functions: bool \= False, ignore\_nested\_functions: bool \= False
    ) \-> List\[str\]:
        """."""
    
*   def python\_function\_docstrings(
        code\_text: str, \*, ignore\_private\_functions: bool \= False, ignore\_nested\_functions: bool \= False
    ) \-> List\[str\]:
        """Get docstrings for all of the functions in the given text."""
    
*   def python\_variable\_names(code\_text: str) \-> List\[str\]:
        """Get all of the variables names in the code\_text."""
    
*   def python\_constants(code\_text: str) \-> List\[str\]:
        """Get all constants in the code\_text."""
    

**Development**

👋  If you want to get involved in this project, we have some short, helpful guides below:

*   contribute to this project 🥇
*   test it 🧪
*   lint it 🧹
*   explore it 🔭

If you have any questions or there is anything we did not cover, please raise an issue and we'll be happy to help.

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution****Built Distribution**

CVE-2022-38887: d8s-python

The d8s-json for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-strings package. Attackers can upload democritus-strings packages containing arbitrary malicious code. For the safety of this project, the democritus-strings package has been uploaded by us.

The democritus-strings package can be successfully installed using pip install d8s-json==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-38882: code execution backdoor · Issue #9 · democritus-project/d8s-json

The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0.

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-strings package. Attackers can upload democritus-strings packages containing arbitrary malicious code. For the safety of this project, the democritus-strings package has been uploaded by us.

The democritus-strings package can be successfully installed using pip install d8s-xml==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-38886: code execution backdoor · Issue #10 · democritus-project/d8s-xml

The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0

Democritus functions to interact with Hypothesis.

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

    

Democritus functions\[1\] for working with Hypothesis.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for democritus\_hypothesis-2021.1.2101.tar.gz**

Hashes for democritus\_hypothesis-2021.1.2101.tar.gz

Algorithm

Hash digest

SHA256

aaa683f5ebb4a282c1aad77f13359203bb2a3c71d09e282488dfa41df8bae818

MD5

d6621f711f0df829375fcab223aa0e7d

BLAKE2-256

39107eb111d7d7afb3d04c69aa3e5b431def25cc2660a84af1627aa5d9ec4d92

CVE-2022-40807: democritus-hypothesis

The d8s-domains for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-networking package. The affected version is 0.1.0

Democritus functions for working with network requests.

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

  

Democritus functions\[1\] for working with network requests.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for democritus\_networking-2021.1.2101.tar.gz**

Hashes for democritus\_networking-2021.1.2101.tar.gz

Algorithm

Hash digest

SHA256

a139aafc83f392abc719a84a1733189899f3b8587bc84c5ac2d8835821343048

MD5

bf27bedf981bd377a7686a9ec91e6219

BLAKE2-256

7544ef1be47a0dc02723fda67e5fa4d685677a9deea42cce294be4b5a8c41185

CVE-2022-40427: democritus-networking

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.

**Project description**

**Democritus File System (Files and Directories)**

  

Democritus functions\[1\] for working with files and directories.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

CVE-2022-40811: democritus-file-system

The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0

We discovered a potential code execution backdoor in version 0.1.0 of the project, the backdoor is the democritus-hypothesis package. Attackers can upload democritus-hypothesis packages containing arbitrary malicious code. For the safety of this project, the democritus-hypothesis package has been uploaded by us.

The democritus-hypothesis package can be successfully installed using pip install d8s-dates==0.1.0

Suggestion: remove version 0.1.0 of this project in PyPI

CVE-2022-40808: code execution backdoor · Issue #26 · democritus-project/d8s-dates

The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The affected version is 0.1.0.

Democritus functions for working with Python strings.

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

  

Democritus functions\[1\] for working with Python strings.

\[1\] Democritus functions are _simple, effective, modular, well-tested, and well-documented_ Python functions.

**Usage**

Coming soon...

**Credits**

This package was created with Cookiecutter and Floyd Hightower's Python project template.

**Project details**  

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Source Distribution**

Close

**Hashes for democritus\_strings-2021.1.28901.tar.gz**

Hashes for democritus\_strings-2021.1.28901.tar.gz

Algorithm

Hash digest

SHA256

04da63d5eea60ed11af7ab04749cedaa30388d03af16a7f877e4a9b0e9ecdf73

MD5

e6f7519a554373579885a24d2556cfe6

BLAKE2-256

3473320cd60b905fcd09b4ba23ba254f6377a48ec6b0a6124298f7804eb0e1d7

CVE-2022-38880: democritus-strings

Alleged teen hacker claims he found an admin password in a network share inside Uber that allowed complete access to ride-sharing giant's AWS, Windows, Google Cloud, VMware, and other environments.

Questions are swirling around Uber's internal security practices after an 18-year-old hacker gained what appears to have been complete administrative access to critical parts of the company's IT infrastructure using an employee's VPN credentials as an initial access vector.

Numerous screenshots that the alleged attacker posted online suggest the intruder did not have to breach a single internal system to essentially pwn the ride-sharing giant's IT domain almost entirely.

So far, Uber has not disclosed details of the incident beyond saying that the company is responding to it and working with law enforcement to investigate the breach. So, at least some of what is being is reported about the incident is based on a New York Times report from Sept. 15 in which the teen claimed to have gained access to Uber's internal networks using credentials obtained from an employee via social engineering. The attacker used that access to move laterally across Uber's internal domain to other critical systems, including its email, cloud storage, and code repository environments.

Since then, he has posted numerous screen shots of internal systems at Uber to confirm the access he had obtained on it and how it was obtained.

The screenshots show the hacker gained full administrative access to Uber's AWS, Google Cloud, VMware vSphere, and Windows environments — as well as to a full database of vulnerabilities in its platform that security researchers have discovered and disclosed to the company via a bug bounty program managed by HackerOne. The internal data the attacker accessed appears to include Uber sales metrics, information on Slack, and even info from the company's endpoint detection and response (EDR) platform.

In a tweet thread that some security researchers reposted, Twitter user Corben Leo posted claims from the alleged hacker that he used the socially engineered credentials to access Uber's VPN and scan the company's intranet. The hacker described finding an Uber network share that contained PowerShell scripts with privileged admin credentials. "One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM). Using this I was able to extract secrets for all services, DA, Duo, OneLogin, AWS, GSuite," the attacker claimed.

For now, the attacker's motivations are not very clear. Normally, it's pretty apparent, but the only thing that hacker has done so far is make a lot of noise, noted that Uber drivers should be paid more, and shared screenshots proving access.

"They seemed really young and maybe even a little sloppy. Some of their screenshots had open chat windows and a ton of metadata," says Sam Curry, a security engineer at Yuga Labs who has reviewed the screenshots,

**Pure-Play Social Engineering**

Invincible Security Group (ISG), a Dubai-based security services firm, claimed that its researchers had obtained a list of administrative credentials that the threat actor had gathered. "They seem to be strong passwords, which confirms that it was indeed a social-engineering attack that got him access to Uber's internal network," ISG tweeted.

Curry tells Dark Reading that the attacker appears to have gained initial access from compromising one employee's login information and social engineering that person's VPN two-factor authentication 2FA prompt.

"Once they had VPN access, they discovered a network drive with 'keys to the kingdom,' which allowed them to access \[Uber's\] cloud hosting as root on both Google Cloud Platform and Amazon Web Services," Curry notes. "This means they probably had access to every cloud deployment, which is likely the majority of Uber's running applications and cloud storage."

One significant fact is that the employee who was initially compromised worked in incident response, he notes, adding that normally such employees have access to many more tools within Uber's environment than average employees. 

"Having this level of access, and additionally the access they found in the PowerShell script, means that they probably didn’t have too many limitations to do whatever they wanted inside Uber," Curry says.  

In a series of tweets, independent security researcher Bill Demirkapi said the attacker appears to have gained persistent MFA access to the compromised account at Uber "by socially engineering the victim into accepting a prompt that allowed the attacker to register their own device for MFA."

"The fact that the attackers appear to have compromised an IR team member's account is worrisome," Demirkapi tweeted. "EDRs can bake in 'backdoors' for IR, such as allowing IR teams to 'shell into' employee machines (if enabled), potentially widening the attacker's access."

**Bug Bounty Data Access is "Problematic"**

The apparent fact that the attacker gained access to Uber vulnerability data submitted via its bug bounty program is also problematic, security experts say. 

Curry says he learned of the access after the hacker posted a comment about Uber being hacked on the company's bug bounty tickets. Curry had previously discovered and submitted a vulnerability to Uber, which if exploited would have permitted access to its code repositories. That bug was addressed, but it's unclear how many of the other vulnerabilities that have been disclosed to the company have been fixed, how many of them were unpatched, and what level of access those vulnerabilities could provide if exploited. The situation could become significantly worse if the hacker sells the vulnerability data to others.

"Bug bounty programs are an important layer in mature security programs," says Shira Shamban, CEO at Solvo. "A main implication here is that the hacker now knows about other vulnerabilities within the Uber IT environment and can use them to set up backdoors for future use, which is unsettling."

Vulnerability and pen-testing tools are important in enabling companies to better assess and improve the security postures, says Amit Bareket, CEO and co-founder of Perimeter 81. "However, if the correct security measures aren't put in place, these tools can turn into double-sided swords, enabling bad actors to take advantage of the sensitive information they may contain," he says. 

Companies should be aware of this and make sure such reports are protected and stored in encrypted form to avoid being misused for malicious intent, Bareket notes.

The latest incident is unlikely to do much to improve Uber's already somewhat dinged reputation for security. In October 2016, the company experienced a data breach that exposed sensitive information on some 57 million riders. But instead of disclosing the breach as it was required to, the company paid $100,000 to the security researchers that reported the breach in what was viewed as an attempt to pay them off. In 2018, the company settled a lawsuit over the incident for $148 million. It arrived at similar but much smaller settlements in lawsuits over the incidents in the UK and the Netherlands.

Tag

#backdoor