systeminformation, Command Injection, CVE-2024-56334 (HIGH)

Listen to this Post

The vulnerability stems from a flawed retry mechanism within the `wifiNetworks()` function in lib/wifi.js. While the initial function call sanitizes the user-supplied `iface` parameter to prevent command injection, a problem arises if the first Wi-Fi scan returns no results. In this specific edge case, a `setTimeout` retry is triggered, which calls the helper function getWifiNetworkListIw(iface). Critically, this retry call uses the original, unsanitized `iface` value provided by the user . This raw string is then directly interpolated into a shell command: execSync('iwlist ${iface} scan'). An attacker can exploit this by injecting arbitrary commands, for example, by passing a value like 'eth0; id'. On the retry, the system executes iwlist eth0; id scan, running the `id` command on the host operating system with the privileges of the Node.js process. This results in full Remote Code Execution (RCE) .

dailycve form:

Platform: Node.js library
Version: up to 5.23.6
Vulnerability : OS Command Injection
Severity: HIGH (7.8)
date: 2024-12-20

Prediction: Patch exists (5.23.7)

What Undercode Say:

Analytics:

  • The vulnerability is officially registered as CVE-2024-56334 .
  • It affects the `systeminformation` npm package, a library with millions of weekly downloads .
  • The issue is specific to a double-use of a user-controlled parameter where only the first instance is sanitized.
  • The CVSS v3.1 base score is 7.8 (High), with the vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H .
  • Successful exploitation leads to arbitrary command execution with the privileges of the Node.js process .
  • The vulnerable function is wifiNetworks(), specifically in the retry code path .
  • The root cause is the unsafe passing of the `iface` variable to `execSync` in `getWifiNetworkListIw` .
  • The issue was fixed in version `5.23.7` of the library by ensuring the parameter is sanitized in all code paths .
  • The vulnerability is considered high severity as it can lead to full system compromise if an application passes unsanitized user input to this function.
  • There are no known public exploits at this time, but the proof of concept is straightforward .

Bash Commands and Code:

1. Check installed version:

npm list systeminformation

2. Update to the patched version:

npm install [email protected]

3. Vulnerable Code Snippet (Conceptual):

// In lib/wifi.js
function wifiNetworks(iface) {
// Initial call sanitizes: iface = sanitize(iface);
let results = iwlist(iface);
if (results.length === 0) {
// Retry path uses the UNSANITIZED original 'iface' after a timeout
setTimeout(() => {
getWifiNetworkListIw(originalIface); // Vulnerability
}, 100);
}
}
function getWifiNetworkListIw(iface) {
// Direct injection point
return execSync(<code>iwlist ${iface} scan</code>);
}

How Exploit:

  • An attacker provides a malicious string to the `iface` parameter of si.wifiNetworks().
  • The malicious payload uses command separators (like `;` or &&) to inject a new command.
  • Example Call:
    const si = require('systeminformation');
    // The 'id' command will execute on the retry attempt.
    si.wifiNetworks('eth0; id');
    
  • Resulting Executed Command (on retry):
    iwlist eth0; id scan
    
  • The shell first tries to run iwlist eth0, and then executes the injected `id` command, revealing user and group information .

Protection from this CVE:

  1. Immediate Patching: Upgrade the `systeminformation` library to version 5.23.7 or higher immediately .
  2. Input Validation: If you cannot patch immediately, implement strict validation on any user input passed to wifiNetworks(). Only allow alphanumeric characters and specific safe characters for interface names (e.g., eth0, wlan0). Reject any input containing spaces, semicolons, ampersands, or backticks .
  3. Principle of Least Privilege: Ensure the Node.js process runs with the minimum necessary operating system privileges to limit the impact of a successful RCE .

Impact:

Remote Code Execution (RCE). An attacker can execute arbitrary operating system commands on the host machine. Depending on the Node.js process’s privileges, this could lead to data theft, installation of backdoors, or complete server takeover. This is especially critical in environments where the application passes untrusted input (like network names or user-provided strings) directly to this function .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top