Embedded malicious code (backdoor) in 1337qq-js

#VU24229 Embedded malicious code (backdoor) in 1337qq-js

Published: 2020-01-13

Vulnerability identifier: #VU24229

Vulnerability risk: Critical

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: N/A

CWE-ID: CWE-506

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
1337qq-js
Web applications / Modules and components for CMS

Vendor: Andre Eleuterio

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the server.

The package exfiltrates sensitive information through install scripts on Linux/UNIX systems. The information exfiltrated includes:

Environment variables
Running processes
/etc/hosts
uname -a
npmrc file

Remove the package from your system and rotate any compromised credentials.

Mitigation
It is recommended to remove this software.

Vulnerable software versions

1337qq-js: 1.0.2 - 1.0.11

External links
http://www.npmjs.com/advisories/1455

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Backdoor in 1337qq-js NPM package