mversion is a cross packaging manager module version handler/bumper. Affected versions of this would allow attackers to execute unexpected, dangerous commands directly on the operating system.

What is Command Injection?

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization. (Portswigger)

⚙️ Description

The vulnerability exists in the tagName user input, which allows an attacker to execute remote commands.

💻 Technical Description

The issue occurs in the tagName user input, the input is formatted inside the exec function in #L64 and is executed without any checks.

File: lib/git.js

The occurrence of this vulnerability is caused due to the usage of the exec() function. In general, exec allows us to execute more than one command on a shell. When using exec, if we need to pass arguments to the command, they should be part of the whole command string. Which in this case, we could execute separate commands if we use shell command separator which would result in command injection.

🕵️‍♂️ Proof of Concept

 Since the application implements no defenses against OS command injection, an attacker can submit the following input to execute an arbitrary command

The command executed by the application is:

The touch command is used to create a file in Linux and is a useful way to test for some types of OS command injection. The ; character is a shell command separator, and so what gets executed is actually two separate commands one after another. As a result, a file name “hbkhan” will be created.

🔥 Fix

The following code would call escapeQuotes function. The function is responsible for sanitizing the input value.

Disclosure Timeline :

• 24 June 2020: Issue reported to the author through Github
• 24 June 2020: Proposed a Fix
• 24 June 2020: Pull Request Accepted
• 01 July 2020: CVE Published CVE-2020-7688