9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
69.9%
I would like to report a RCE
issue in the tree-kill
module.
It allows to execute arbitrary commands remotely inside the victim's PC
module name: tree-kill
version:1.2.1
npm page: https://www.npmjs.com/package/tree-kill
> Kill all processes in the process tree, including the root process.
[N/A] downloads in the last day
[2,108,440] downloads in the last week
[~10M] downloads in the last month
The issue occurs because a user input
is concatenated with a command
that will be executed without any check. The issue arises here: https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20 (as you can see, the Linux
part is sanitized, while the Win
one no … it simply uses the +
operand to concatenate the input)
// poc.js
var kill = require('tree-kill');
kill('3333332 & echo "HACKED" > HACKED.txt & ');
npm i tree-kill # Install affected module
dir # Check *HACKED.txt* doesn't exist
node poc.js # Run the PoC
dir # Now *HACKED.txt* exists :)
HACKED.txt
will be created, containing the HACKED
stringLinux
(I’ll be able to reinstall win only the next week), but the code showed in the module (line 20) makes clear the attack is possible. Pls note I’m not sure of the batch syntax used
, as said I can’t verify it on a win
machine. Before close the report, share with me eventual problems, in order to make me able to determine if the provided PoC is fully working or lacks in something :)> Don’t concatenate commands
using insecure user's inputs
:)
win OS
… I’ve simply checked the code)RCE
on tree-kill
via insecure command concatenation
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
69.9%