Fixed @ Command Injection in moment-timezone #8
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Vulnerability Description
Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint
The
tasks/data-download.js
script takes in a parameter from grunt and uses it to form a command line which is then executed:Ordinarily, one one run this script using something like
grunt data-download:2014d
, in which case version would have the value2014d
. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary codeCommand Injection via data-zdump.js
The
tasks/data-zdump.js
script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.In this case, an attacker able to add a file to
temp/zic/2014d
(for example) with a filename likeZ; curl www.redacted
would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.Command Injection via data-zic.js
Similar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.
As a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.
Patches References
The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches
exec
toexecFile
so arbitrary bash fragments won't be executed any more.