search

Azure / ms-rest-nodeauth

node.js based authentication library for Azure with type definitions
MIT License
33 stars 33 forks source link

Potential command injection in ms-rest-nodeauth #115

Closed zpbrent closed 3 years ago

zpbrent commented 3 years ago

Package Version: 3.0.7

Describe the bug The core function execAz() which is purposely used for az command can be injected with arbitrary other OS commands. Also the attackers can exploit this vulnerability by calling AzureCliCredentials.setDefaultSubscription("OS command") from the Azure CLI.

To Reproduce

// PoC.js
auth = require('@azure/ms-rest-nodeauth');
auth.AzureCliCredentials.setDefaultSubscription('aa --out json;$(touch HACKED); #');

Expected behavior The illegal file HACKED should not be created in the machine.

Screenshots image

Additional context I have reported this vul through huntr.dev at https://www.huntr.dev/bounties/1-npm-@azure/ms-rest-nodeauth/ As well as proposed a possible fix with a PR at https://github.com/418sec/ms-rest-nodeauth/pull/1

Please help to confirm whether this is indeed a bug and aslo whether the fix is feasible, thanks!

ramya-rao-a commented 3 years ago

Thanks for reporting @zpbrent Please feel free to open a PR in this repo with your fix.

Also refer to https://aka.ms/bugbounty for our bounty programs for future use.

zpbrent commented 3 years ago

Thanks for reporting @zpbrent Please feel free to open a PR in this repo with your fix.

Also refer to https://aka.ms/bugbounty for our bounty programs for future use.

Thank you for your response @ramya-rao-a . And also, can you kindly help to reply @huntr-helper - LGTM in the PR https://github.com/418sec/ms-rest-nodeauth/pull/1 , then the huntr bot can automatically open a new PR to request the merge to your package with the fix , many thanks.

By the way, what is your opinion whether this bug deserves a CVE? If so, can you help to request one for it, many thanks!

Sure, I will refer https://aka.ms/bugbounty for any more bugs in the future.

ramya-rao-a commented 3 years ago

Related PR: #117

zpbrent commented 3 years ago

Related PR: #117

Hey @ramya-rao-a , sorry to disturbe you again, since I find the CVE-2021-28458 has not beed added into the CVE list until now at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28458 . For my previous experiences, when a CVE is issued, it will be added into the CVE database no more than two days. So I am confused whether there is something wrong or this CVE will take a longer time than others to be added?

xirzec commented 3 years ago

I'm following up on our side, will update when I get some answers.

zpbrent commented 3 years ago

I'm following up on our side, will update when I get some answers.

@xirzec thanks!

zpbrent commented 3 years ago

I'm following up on our side, will update when I get some answers.

Hey @xirzec I have just found the release of this CVE at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28458, thank you so much for your efforts. Also, can you do me another favor to list my name zpbrent (zhou, peng@shu) at the acknowledgements part of this advisor at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28458#acknowledgements , so my disclose of this vul can be linked directly. Many thanks for your help and time!