icemonster/network.md Secret

## network.md

      
    Raw
  

              network.md
            
          
    ACI in network

Package source


https://www.npmjs.com/package/network

Github repo


https://github.com/tomas/network

Package description

Cross platform network utilities for Node.js (gateway_ip, MAC address, etc)
Vulnerability Overview

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).
If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].
[1] https://cwe.mitre.org/data/definitions/77.html
[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback
Reproduction

The proof-of-concept code below illustrates the issue. Executing this code will cause the command touch /tmp/success to be executed, leading to the creation of a file called success in the /tmp directory.
var PUT = require('network');
var x0 = " $(touch /tmp/success) # \" || touch /tmp/success # ' || touch /tmp/success";
var x1 = "{}";
new PUT["mac_address_for"](x0,x1);
Environment: Node.js v15.5.0 on Linux
Steps to reproduce:

npm i network@0.6.1
Create a file, poc.js, containing the PoC code.
Execute the file: node poc.js

A file called success will be created in the tmp directory as a result of the execution of the PoC.
Mitigation


Consider using execFile [1] or execFileSync [2] if possible, which do not spawn a shell.
If possible, consider only passing inputs to exec that match a predefined allow-list.
If using an allow-list is not possible, consider sanitizing inputs to exec such that they do not contain shell meta-characters such as $().