Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-37478 PoC — pnpm 访问控制错误漏洞

Source
https://github.com/TrevorGKann/CVE-2023-37478_npm_vs_pnpm
Associated Vulnerability
Title:pnpm 访问控制错误漏洞 (CVE-2023-37478)
Description:Github PNPM是快速、节省磁盘空间的包管理器。 pnpm 7.33.4 之前版本和 8.6.8之前版本存在访问控制错误漏洞,该漏洞源于在 npm 注册表上或通过 npm 安装时显示为安全的包在通过 pnpm 安装时被受损或恶意版本替换。
Description
CVE-2023-37478 showcases how a difference in npm and pnpm install packages that could be exploited by a well crafted tar.gz packge. This repo shows a demo.
Readme
# `pnpm` vs `npm` exploit 

This repo showcases how a difference in `npm` and `pnpm`installation from tarballs can be exploited. 
The exploit is recorded in [CVE-2023-37478](https://nvd.nist.gov/vuln/detail/CVE-2023-37478).

The javascript package constructed here claims it prints out a nice message to the user. When installed with `npm`, this is true. 
However, the same package can be installed with `pnpm` and it will print out a mean message. 
One could imagine how this could be more maliciously exploited. 

You can find an old, vulnerable version of pnpm [here](https://github.com/pnpm/pnpm/releases/tag/v8.6.7) that works with this exploit. 
This is fixed in [newer versions of pnpm](https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7) and the fix can be [seen here](https://github.com/pnpm/pnpm/commit/250f7e9fe90359e2b3b01ba8294c4120445e5aa6#diff-0d65e839be9422dce3b76fb31562012c3c205698db6260764ea96ca8811d0344)

## How to use this Repo

`exploitative_package_src` has the source for the package `definitely_benign_package`.
The folder `bad_version` (V0.1) contains malicious code, and `good_version` (V0.2) contains good code.
`make_tar.sh` builds the tar package such that the bad version is added to the tarbal before the good version.

For a demo, move/clone the compiled `definitely_benign_package.tgz` into `/use_demonstration/` and install via `npm` or `pnpm`, this can be shortcut with `make pnpm/npm` (`make clean` also works once you're done).
Once it's installed, run the words of affirmation script with `node words_of_affirmation.js`.
File Snapshot

 [4.0K]  /data/pocs/e5f1abc5336b6de2ff5df50db2127663154172ff
├── [4.0K]  exploitative_package_src
│   ├── [4.0K]  bad_version
│   │   ├── [ 517]  index.js
│   │   └── [ 269]  package.json
│   ├── [4.0K]  good_version
│   │   ├── [ 102]  index.js
│   │   └── [ 268]  package.json
│   └── [  98]  make_tar.sh
├── [1.5K]  README.md
└── [4.0K]  use_demonstration
    ├── [ 288]  Makefile
    ├── [ 516]  README.md
    ├── [  22]  test.js
    └── [  99]  words_of_affirmation.js

4 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.