June 17, 2020

GHSL-2020-119: command injection vulnerability in node-dns-sync resolve method - CVE-2020-11079

Kevin Backhouse

Summary

The resolve method of the node-dns-sync library had a command injection vulnerability. Clients of the node-dns-sync library are unlikely to be aware of this, so they might unwittingly write code that contains a command injection vulnerability. This issue was resolved in version 0.2.1.

Product

node-dns-sync

Tested Version

Commit 93b8034

Details: Command injection in resolve

Node-dns-sync's resolve method did not sufficiently sanitize user supplied input, which allowed for arbitrary shell command injection.

For example:

var dnsSync = require('dns-sync');
dnsSync.resolve('www.paypal.com', " && touch exploit")

Would result in the touch exploit shell command being run on the system invoking the method.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

CVEs

  • CVE-2020-11079

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Resources

This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:

CVE-2020-7646, CVE-2020-7614, CVE-2020-7597, CVE-2019-10778, CVE-2019-10776, CVE-2018-16462, CVE-2018-16461, CVE-2018-16460, CVE-2018-13797, CVE-2018-3786, CVE-2018-3772, CVE-2018-3746, CVE-2017-16100, CVE-2017-16042.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the node-dns-sync project here.

Credit

This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-119 in any communication regarding this issue.