CVE 2021-21315 PoC
This is Proof of Concept for CVE-2021-21315 which affects The System Information Library for Node.JS (npm package "systeminformation"). npmjs.com/systeminformation
"be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected. "
Because it's not well explained vulnerability (in my opinion), i decided to code small app basing on vulnerable version of systeminformation. The PoC contains:
Steps to reproduce:
This will fail, because of string sanitization:
As said in CVE details "sanitization works as expected, reject any arrays [...]"
Success! Our command got executed. Of course no one cares about "pwn.txt", but potential attacker can:
"Command injection" sounds innocent, but it may have huge impact if certain conditions are meet
Problem was fixed in version 5.3.1 of "systeminformation" Credits to https://www.huntr.dev/users/EffectRenan (He found vulnerability, however in my opinion, his "Poc" did not show real world impact)
Also, do not heist to use this PoC in some CTF's but would be cool if you will credit author of finding - EffectRean and poc creator - me, cheers!
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.