Listen to this Post
The vulnerability in [email protected] is a command injection flaw arising from improper neutralization of special elements used in an OS command. The application uses the `child_process.exec` API, which executes commands within a shell. User-controlled input from the `–remote` command-line flag and from Git branch names originating from a remote repository is concatenated directly into the strings that form the git commands. This input is not sanitized, allowing an attacker to break out of the intended git command context and inject arbitrary shell commands by using shell metacharacters like semicolons. When the crafted string is passed to exec, the shell interprets the metacharacters and executes the injected commands with the privileges of the main application process.
Platform: npm
Version: 0.2.1
Vulnerability : Command Injection
Severity: Critical
date: 2020
Prediction: 2020-02-24
What Undercode Say:
willitmerge --verbose --remote "https://example.com; cat /etc/passwd"
git checkout -b 'malicious; touch /tmp/pwned'
find . -name ".js" -exec grep -l "child_process.exec" {} \;
How Exploit:
Attacker supplies malicious input via `–remote` flag or a malicious branch name. The input contains shell metacharacters to inject commands. The unsanitized input is concatenated into a string for child_process.exec. The shell interpreter executes both the intended git command and the injected malicious command.
Protection from this CVE
Upgrade to a patched version. Implement input sanitization for shell commands. Use `child_process.execFile` or `spawn` with separate arguments. Apply proper input validation and escaping. Use security linters to detect vulnerable code patterns.
Impact:
Remote Code Execution
System Compromise
Arbitrary File Manipulation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
