OS Command Injection in zacanger/is-program-installed

Valid

Reported on

Sep 12th 2021


✍️ Description

There is "OS Command Injection" vulnerability on "is-program-installed" npm package. This package tries to understand the given parameter name (program or binary name) is installed in the computer or not. However, since this package does not properly control the characters in the program name taken as input, it is possible to run commands on the operating system.

🕵️‍♂️ Proof of Concept

// PoC.js
const isInstalled = require('is-program-installed')
console.log(isInstalled('powershell.exe && whoami > result.txt'));
// After running this program, "result.txt" file will be created with the "whoami" command's output in it.

💥 Impact

Attacker can run the command on the machine.

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the zacanger/is-program-installed team and are waiting to hear back 10 months ago
We have sent a second follow up to the zacanger/is-program-installed team. We will try again in 10 days. 9 months ago
We have sent a third and final follow up to the zacanger/is-program-installed team. This report is now considered stale. 9 months ago
oivrip
8 months ago

Researcher


Any update, It has been 3 months?

Jamie Slome
a month ago

Admin


The maintainer just responded on the GitHub Issue. I am sending them the report URL now :)

zacanger
a month ago

Maintainer


Thanks for the report, sorry it took forever to take a look at. Fixed in 2.3.4: https://github.com/zacanger/is-program-installed/blob/v2.3.4/index.js#L76=

zacanger validated this vulnerability a month ago
oivrip has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
zacanger confirmed that a fix has been merged on d96b35 a month ago
zacanger has been awarded the fix bounty
zacanger gave praise a month ago
Thanks for the report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
oivrip
a month ago

Researcher


Thanks for the fix : )

to join this conversation