A robust ClamAV virus scanning library supporting scanning files, directories, and streams with local sockets, local/remote TCP, and local clamscan/clamdscan binaries (with failover).
MIT License
236
stars
69
forks
source link
Security Fix for Command Injection - huntr.dev #63
https://huntr.dev/users/alromh87 has fixed the Command Injection vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
clamscan is a Use Node JS to scan files on your server with ClamAV's clamscan binary or clamdscan daemon. This is especially useful for scanning uploaded files provided by un-trusted sources.
This package are vulnerable to Command Injection, itt is possible to inject arbitrary commands as part of the _is_clamav_binary function located within Index.js.
It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute, this lowers the risk of this issue.
Avoid creating a string and then splitting, instead pass path directly to cp_execfile(), this way it will be handled as the command, instead of command and argument.
var Root = require("./");
var fs = require("fs");
var attack_code = "touch vulnerable.txt";
var root = new Root();
fs.mkdir(attack_code, function(){});
root.init({"clamscan": {'path': attack_code}});
https://huntr.dev/users/alromh87 has fixed the Command Injection vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/clamscan/pull/3 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/clamscan/1/README.md
User Comments:
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-npm-clamscan
⚙️ Description *
clamscan
is a Use Node JS to scan files on your server with ClamAV's clamscan binary or clamdscan daemon. This is especially useful for scanning uploaded files provided by un-trusted sources.This package are vulnerable to Command Injection, itt is possible to inject arbitrary commands as part of the
_is_clamav_binary
function located withinIndex.js
.It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute, this lowers the risk of this issue.
There is aprevious fix https://github.com/418sec/clamscan/pull/1 that would still allow arbitrarty command execution with one argument
Updated with last changes from upstream
💻 Technical Description *
Avoid creating a string and then splitting, instead pass path directly to cp_execfile(), this way it will be handled as the command, instead of command and argument.
🐛 Proof of Concept (PoC) *
node poc.js
vulnerable.txt
will be created🔥 Proof of Fix (PoF) *
After fix no file is created
👍 User Acceptance Testing (UAT)
Functionallity unafected