Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in getpwnam, found by NodeMedic-FINE #5

Closed
jhuckaby opened this issue Feb 16, 2024 · 1 comment
Closed

Vulnerability in getpwnam, found by NodeMedic-FINE #5

jhuckaby opened this issue Feb 16, 2024 · 1 comment

Comments

@jhuckaby
Copy link
Owner

From NodeMedic-FINE:

ACI in pixl-tools

Package source

Github repo

Package description

A set of miscellaneous utility functions for Node.js.

Vulnerability Overview

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).

If (attacker-controlled) user input is given to the getpwnam function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].

[1] https://cwe.mitre.org/data/definitions/77.html

[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback

Reproduction

The proof-of-concept code below illustrates the issue. Executing this code will cause the command touch /tmp/success to be executed, leading to the creation of a file called success in the /tmp directory.

var PUT = require('pixl-tools');
var x0 = " $(touch /tmp/success) # \" || touch /tmp/success # ' || touch /tmp/success";
var x1 = false;
new PUT["getpwnam"](x0,x1)();

Environment: Node.js v15.5.0 on Linux

Steps to reproduce:

  1. npm i pixl-tools@1.0.33
  2. Create a file, poc.js, containing the PoC code.
  3. Execute the file: node poc.js

A file called success will be created in the tmp directory as a result of the execution of the PoC.

Mitigation

  • Consider using execFile [1] or execFileSync [2] if possible, which do not spawn a shell.
  • If possible, consider only passing inputs to exec that match a predefined allow-list.
  • If using an allow-list is not possible, consider sanitizing inputs to exec such that they do not contain shell meta-characters such as $().

To contact

jhuckaby jhuckaby@gmail.com
@jhuckaby
Copy link
Owner Author

Fixed in v1.0.37. Huge thanks to NodeMedic-FINE!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhuckaby