>We recently came across a suspicious NPM package called `buildrunner-dev`. The package is deceptively simple, containing a package.json with a postinstall hook pointed at an `init.js` file, but that’s where things got interesting.
>The postinstall script was triggered upon package installation and dropped a batch file called `packageloader.bat`. At first glance it looked like pure noise due to thousands of characters that appear to be gibberish; nature-themed REM comments, and variable names that read like a cat walked across someone’s keyboard. But as we started peeling back layer after layer of obfuscation, we uncovered a remarkably well-engineered attack chain that hides its true payloads inside the RGB pixel values of PNG images hosted on a free image service.
Matthew Remacle (Remy) digs into the newly disclosed Apache Struts2 CVE-2023-50164 file upload vulnerability. This weakness allows an attacker to drop a web shell that can be called remotely through a public interface over defined routes.
Apache Struts2 is an open-source Java web application development framework used in various enterprise-grade applications and business use cases.
The vulnerability occurs when a multipart form request is used, and the constraints for path normalization are bypassed.
The attacker can inject a web shell (e.g., shell.jsp) into the file system, which can then be remotely called.
The exploitation of this vulnerability depends on the specific implementation of Apache Struts2 in a vendor's product and the defined actions' path.
>The postinstall script was triggered upon package installation and dropped a batch file called `packageloader.bat`. At first glance it looked like pure noise due to thousands of characters that appear to be gibberish; nature-themed REM comments, and variable names that read like a cat walked across someone’s keyboard. But as we started peeling back layer after layer of obfuscation, we uncovered a remarkably well-engineered attack chain that hides its true payloads inside the RGB pixel values of PNG images hosted on a free image service.