Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/app/users/Asjidkalam has fixed the Remote Code Execution vulnerability 🔨. Asjidkalam has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #9
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/enpeem/1/README.md

User Comments:

📊 Metadata *

Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.

Bounty URL: https://www.huntr.dev/app/bounties/open/1-npm-enpeem

⚙️ Description *

Fixed the code execution by replacing an unsafe way to execute the commands (exec) with a cleaner function (execFile).

💻 Technical Description *

There are a few instances in the index.js file calling exec, which wraps the exec function from child_process. I've replaced this call to execFile in the index.js file so we can reliably pass arguments to it. This solves the code injection issue as provided in the POC.

🐛 Proof of Concept (PoC) *

Create a project with the vulnerable package and run the following snippet, a file named HACKED should appear in the current working directory, demonstrating the code execution issue.

var npm = require('enpeem');
npm.update({production:'test; touch HACKED; #', path:''});

🔥 Proof of Fix (PoF) *

After applying the fix, run the snippet again and no file was created, hence the code execution in mitigated.

👍 User Acceptance Testing (UAT)

The only line of code changed was exec to execFile, and no external libraries are used. So it doesn't break the code.

References:

https://gist.github.com/evilpacket/5a9655c752982faf7c4ec6450c1cbf1b