Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
dissect dead node service core dumps with mdb via a smart os vm
mdb is an awesome debugger that comes with smart os.
There's an extension for it that allows you to postmortem node core files
However, a tremendous amount of people run node on linux (not least because of docker and what not).
But it turns out that mdb can analyse linux core files, we just have to give it the core file and the node binary that was running when the core file was generated.
The problem is, actually getting you linux core file into an environment that is running a version of mdb that this can work with is... painful.
So, autopsy abstracts that pain away, and installs an autopsy
executable on linux that essentially acts as a proxy to the
mdb client within the smartos vm.
You can also run autopsy on OS X, but you'll need the linux node binary and core file to pass to it.
Autopsy depends on virtual box, on ubuntu/debian we can do
sudo apt-get install virtualbox
There's also currently a hard dependency on expect
sudo apt-get install expect
On OS X - well we can work it out ;)
sudo npm install -g autopsy
This will install autopsy on the system, download smartos virtual machine assets and setup a smartos vm in virtual box.
The VM assets download is ~450mb, in testing on a fairly decent connection, setup from start to finish (not including npm dep installs) takes around 1.5 minutes. This is because we're using multithreaded downloading and host the assets on S3.
Once finished the following executables will be available
If postinstall setup is interupted for any reason (including network failure during assets download), try again with
autopsy-setup
If there was a partial download, it should resume rather than restart.
The autopsy command takes the following args
autopsy [node-binary] core-file
On OS X the node binary is not optional, on linux if not supplied the current installed node binary will be used.
When this command is run the following occurs
::load v8
to get the v8 related debugging commandsFor using mdb see the mdb reference docs
In production, if we run our node processes with --abort-on-uncaught-exception
we will always get a core dump when a process crashes (that is,
as long as our linux environment is set up correctly)
You can also manually generate a core file using process.abort()
.
Finally a core file can also be obtained by attaching gdb
to a running processing and executing generate-core
.
If you're using an ubuntu server (and probably debian etc. etc.) you may have apport installed - this intercepts core files so we need to get rid of it
sudo apt-get purge apport
Next you need to make sure that linux is configured to allocate space for the core file, like so
ulimit -c unlimited
Put this in a start up script and what not.
We'll get it smaller (hopefully), this is a first pass and we're focusing on functionality. But the size it's because we're like.. running an entire virtual machine.
The example
folder has a core
and node
file that we're
generated by the die.js
file
You can try out autopsy with these two files (on OS X and Linux), from the same folder as this readme do
autopsy example/node example/core
Once the mdb console appears you can try
> ::jsstack
For starters, and then if you want to get fancy
> ::findjsobjects -p myproperty
137289672551
> 137289672551::jsprint
The latest smartos comes with an old version of mdb_v8, as of autopsy 0.0.2 the vm runs mdb_v8 1.2.2 (latest at time of writing) To upgrade the v8 version (without waiting for an autopsy release) we can perform the following steps
ssh -p 2222 root@localhost
pw: mdbzlogin 7f3ba160-047c-4557-9e87-8157db23f205
mkdir /mdb && cd /mdb
pkgin install gcc49-4.9.1 gmake-4.0 git
git clone https://github.com/joyent/mdb_v8
cd mdb_v8 && make
cp mdb_v8/builds/amd64/mdb_v8.so .
At this point we have successfully upgraded to latest mdb_v8, however
we have a lot of extra dev packages installed in the vm making it much
less lean. So, we may want to copy the mdb_v8.so
file from the vm, like so:
scp -P 2222 root@localhost:/zones/7f3ba160-047c-4557-9e87-8157db23f205/root/mdb/mdb_v8.so .
Then recreate the vm (follow removing the vm below, then npm run setup
) and copy the file back in (this is what we do for releases).
scp -P 2222 mdb_v8.so root@localhost:/zones/7f3ba160-047c-4557-9e87-8157db23f205/root/mdb
Currently there's no command for removing the vm, follow these steps, in order
assets
folder from the autopsy module folder rm $(npm get prefix)/lib/node_modules/autopsy/assets
~/VirtualBox\ VMs
)FAQs
dissect dead node service core dumps with mdb via a smart os vm
We found that autopsy demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.