Fixed Command Injection

[mufeedvh]

⚙️ Fix:

I had real fun fixing this one! The code was really clean and tracing what variables were passing through what functions were awesome! 😄

The fix is implemented by using cp_execfile() (execFile) instead of cp_exec() (exec).

❓ How:

The _is_clamav_binary() function was vulnerable to Command Injection, it accepted a variable scanner to determine what utility to choose, ie: clamdscan and clamscan.

The execFile() executes a system command from a binary path, ie: /bin/ls for the ls command. And as the scanner variable is passed to version_cmds{} to concatenate with argument --version, it was easy to implement the fix. The path was set as /usr/bin/clamdscan in the constructor function so just splitting the command and passing it to execFile() can fix the issue.

🗒️ Proof of Concept:

place it in the root folder of the project as poc.js

var Root = require("./index.js"); 
var fs = require("fs"); 
var attack_code = "echo vulnerable > create.txt"; 
var root = new Root(); 
fs.mkdir(attack_code + "&", function(){}); 
root.init({"clamscan": {'path': attack_code + "&"}});

🔥 Fix On Action:

🍎 Mac:

$ brew install clamav
$ node poc.js

🐧 Linux:

$ sudo apt-get install clamav
$ node poc.js

❤️ After Fix:

As you can see in the above screenshot, no file named create.txt was created! ✔️

---

✌️ Fixed

---

[huntr-helper]

Congratulations @mufeedvh - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!