Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue.
Signal K Server versions prior to 2.19.0 are vulnerable to remote code execution (RCE). An attacker with administrative privileges can exploit a flaw in the appstore interface to install malicious npm packages, leading to complete system compromise. This vulnerability allows for arbitrary code execution on the boat's central hub, potentially impacting navigation, communication, and other critical functions.
Step 1: Admin Access Required: The attacker must have administrative access to the Signal K Server's appstore interface.
Step 2: Crafting the Malicious Package: The attacker creates a malicious npm package. This package is hosted on a Git repository, GitHub, or a web server and includes a package.json file with a postinstall script containing the attacker's payload (e.g., reverse shell, data exfiltration, etc.).
Step 3: Exploiting the REST API: The attacker uses the Signal K Server's REST API endpoint for installing npm packages. They provide the legitimate package name and a crafted version parameter pointing to their malicious package source (e.g., a Git repository URL).
Step 4: Package Installation: The Signal K Server, due to the vulnerability, downloads and installs the attacker's malicious package using npm install.
Step 5: Post-Installation Code Execution: Upon installation, npm executes the postinstall script defined in the attacker's package.json file, triggering the attacker's payload and granting them control over the server.
The vulnerability stems from insufficient input validation in the Signal K Server's appstore interface when handling the version parameter during npm package installation. The code directly passes the user-supplied version specifier to the npm install command without proper sanitization. This allows an attacker to specify a malicious package source, such as a Git repository, GitHub shorthand, or a URL pointing to a tarball containing a crafted package.json file. The package.json file includes a postinstall script, which npm automatically executes after the package is installed. This script can contain arbitrary commands, enabling the attacker to execute malicious code on the server. The root cause is a lack of input validation and improper sanitization of the version parameter, combined with the inherent flexibility of npm's version specifier syntax and the automatic execution of postinstall scripts.