Pierluigi Paganini December 16, 2019

NPM, the biggest package manager for JavaScript libraries, has addressed a vulnerability that could be exploited to execute “binary planting” attacks.

NPM maintainers have addressed a vulnerability that could allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed, so-called “binary planting” attacks.

The vulnerability affects versions of NP prior to 6.13.3 (and versions of yarn prior to 1.21.1), a specially crafted entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files the system where the package is installed.

“In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.” reads the advisory published by NPM.

“In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location.  (That is, not any arbitrary file on the system, but any file in /usr/local/bin.)”

The vulnerability affects older versions of yarn, an open-source alternative client developed by Facebook for fetching modules from the registry.

NPM maintainers also addressed a separate vulnerability that could be exploited to create arbitrary symlinks to any file.

The experts pointed out that vulnerable NPM versions, and all current versions of yarn allow the arbitrary overwriting of an existing binary in the /usr/local/bin directory with another file.

The vulnerability was reported by the developer Daniel Ruf who shared technical details in a blog post.

“While npm and yarn are most vulnerable, pnpm seems to prevent many of the attack types as my tests concluded.” Ruf wrote.

“pnpm seems to not resolve the path outside of node_modules in most cases. Also as pnpm uses symlinks in general to manage the dependencies, it prevents that symlinks can be overwritten by other packages then with which they were created and are owned by them.”

“The problem is that we can define any (valid) paths for the binary name and the file which is then symlinked.”

To carry out the attack it is required an entry for the “bin” key in package.json, a file that npm uses to contain the metadata about the project and its dependencies.

"bin": { "../some/path": "../some/other/path" }

The expert also created proof-of-concept exploits that write or overwrite arbitrary files and allow unauthorized file access.

The good news is that NPM has not found any module in the registry that use this attack.

“That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry,” NPM’s security team said.

Pierluigi Paganini

(SecurityAffairs – NPM, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]