Command Execution

Module: windows-cpu

Published: May 19th, 2017

Reported by: Daniel Bond

CVE-NONE

CWE-94

Vulnerable: All
Patched: <=0.0.0

Overview

Affected versions of windows-cpu will execute arbitrary code passed into the first argument of the findLoad method, resulting in remote code execution.

Proof of Concept

var win = require('windows-cpu');
wind.findLoad('foo & calc.exe');

Remediation

This package has not been updated since 2015, and it is therefore unlikely that a direct patch will be issued.

At this time, the best solution is to avoid passing user input into findLoad(). If that is a necessity, the next best solution is to pass run the user input through a module that escapes shell command arguments, such as shell-quote.

References