Command Injection Affecting shell-quote package, versions <1.6.1


0.0
high

Snyk CVSS

    Exploit Maturity Proof of concept
    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:shell-quote:20160621
  • published 21 Jun 2016
  • disclosed 21 Jun 2016
  • credit Koki Takahashi, Node Security Team

How to fix?

Upgrade shell-quote to version 1.6.1 or higher.

Overview

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Command Injection. The quote function does not properly escape the following special characters <, >, ;, {, } , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information.

Proof of Concept

Consider the following poc.js application

var quote = require('shell-quote').quote;
var exec = require('child_process').exec;

var userInput = process.argv[2];

var safeCommand = quote(['echo', userInput]);

exec(safeCommand, function (err, stdout, stderr) { console.log(stdout); });

Running the following command will not only print the character a as expected, but will also run the another command, i.e touch malicious.sh

$ node poc.js 'a;{touch,malicious.sh}'

References