OS Command Injection in zacanger/is-program-installed

Valid

Reported on

Sep 12th 2021

✍️ Description

There is "OS Command Injection" vulnerability on "is-program-installed" npm package. This package tries to understand the given parameter name (program or binary name) is installed in the computer or not. However, since this package does not properly control the characters in the program name taken as input, it is possible to run commands on the operating system.

🕵️‍♂️ Proof of Concept

// PoC.js
const isInstalled = require('is-program-installed')
console.log(isInstalled('powershell.exe && whoami > result.txt'));
// After running this program, "result.txt" file will be created with the "whoami" command's output in it.

💥 Impact

Attacker can run the command on the machine.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the zacanger/is-program-installed team and are waiting to hear back 2 years ago

We have sent a second follow up to the zacanger/is-program-installed team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the zacanger/is-program-installed team. This report is now considered stale. 2 years ago

oivrip

commented 2 years ago

Researcher

Any update, It has been 3 months?

Jamie Slome

commented a year ago

Admin

The maintainer just responded on the GitHub Issue. I am sending them the report URL now :)

zacanger

commented a year ago

Maintainer

Thanks for the report, sorry it took forever to take a look at. Fixed in 2.3.4: https://github.com/zacanger/is-program-installed/blob/v2.3.4/index.js#L76=

zacanger validated this vulnerability a year ago

oivrip has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

zacanger marked this as fixed in 2.3.4 with commit d96b35 a year ago

zacanger has been awarded the fix bounty

This vulnerability will not receive a CVE

zacanger gave praise a year ago

Thanks for the report!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

oivrip

commented a year ago

Researcher

Thanks for the fix : )

to join this conversation

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the zacanger/is-program-installed team and are waiting to hear back 2 years ago

We have sent a second follow up to the zacanger/is-program-installed team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the zacanger/is-program-installed team. This report is now considered stale. 2 years ago

oivrip

commented 2 years ago

Researcher

Any update, It has been 3 months?

Jamie Slome

commented a year ago

Admin

The maintainer just responded on the GitHub Issue. I am sending them the report URL now :)

zacanger

commented a year ago

Maintainer

Thanks for the report, sorry it took forever to take a look at. Fixed in 2.3.4: https://github.com/zacanger/is-program-installed/blob/v2.3.4/index.js#L76=

zacanger validated this vulnerability a year ago

oivrip has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

zacanger marked this as fixed in 2.3.4 with commit d96b35 a year ago

zacanger has been awarded the fix bounty

This vulnerability will not receive a CVE

zacanger gave praise a year ago

Thanks for the report!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

oivrip

commented a year ago

Researcher

Thanks for the fix : )

to join this conversation