Command Execution

Module: windows-cpu

Published: May 19th, 2017

Reported by: Daniel Bond

CVE-NONE

CWE-94

Vulnerable: All
Patched: <=0.0.0

Overview

Windows-cpu is a CPU monitoring utility for windows.

The findLoad method passes a provided string directly to the shell, allowing arbitrary command execution.

Proof of Concept: This code will open the built-in calculator program.

var win = require('windows-cpu');
wind.findLoad('foo & calc.exe');

Remediation

Avoid passing user input to the findLoad method. If you must, pass user input through a sanitizer (such as a shell escaping tool) prior to passing it to findLoad.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo