Security Fix for RCE on "wireless-tools" - huntr.dev

[huntr-helper]

https://huntr.dev/users/Asjidkalam has fixed the RCE on "wireless-tools" vulnerability 🔨. Asjidkalam has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/wireless-tools/1/README.md

User Comments:

📊 Metadata *

Command injection vulnerability

Bounty URL: https://www.huntr.dev/bounties/1-npm-wireless-tools

⚙️ Description *

The wireless-tools module is vulnerable against RCE since command is crafted using user inputs not validated and then executed, leading to arbitrary command injection. The argument options can be controlled by users without any sanitization. It was using exec() function which is vulnerable to Command Injection if it accepts user input and it goes through any sanitization or escaping.

💻 Technical Description *

The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. I replaced it with execFile() which mitigates any possible Command Injections as it accepts input as arrays.

🐛 Proof of Concept (PoC) *

The PoC given in the bounty was incorrect, here's the PoC:
Install the package and run the below code, you'll need to have a PDF to test:

var hd = require('wireless-tools/ifconfig');
hd.status("t; touch HACKED; #", function(){});

A file named HACKED will be created in the current working directory.

🔥 Proof of Fix (PoF) *

After applying the fix, run the PoC again and no files will be created. Hence command injection is mitigated.

👍 User Acceptance Testing (UAT)

Only execFile is used, no breaking changes introduced.