I would like to report a command injection vulnerability in the kill-port-process package. It allows an attacker to inject arbitrary commands.

Module

module name: kill-port-processversion:1.1.0npm page: https://www.npmjs.com/package/kill-port-process

Module Stats

0 downloads in the last day
138 downloads in the last week
660 downloads in the last month

Vulnerability

Vulnerability Description

The attacker can control the port number. Then He/She can insert a shell command instead of a port number. The root user is the only user execute kill command on the OS, thus root will execute an arbitrary command.

Steps To Reproduce:

Installing the module: npm install kill-port-process -E

Following the example in the npm page:

const killPortProcess = require('kill-port-process');
const PORT = "$(<Shell Command>)";
await killPortProcess(PORT);

CLI mode:

kill-port "$(<Shell Command>)"

Patch

In the file src/lib/killer.ts:
Replace: import { exec } from 'child_process'
To: import { spawn } from 'child_process'

Supporting Material/References:

• Arch Linux 5.2.1 x64
• NODEJS 11.15.0
• NPM 6.10.2

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

Impact

An attacker can execute arbitrary commands on the victim’s machine.