CVE-2018-13797
Command Injection vulnerability in macaddress (npm)
What is CVE-2018-13797 About?
The `macaddress` package is vulnerable to command injection if an attacker can control the `iface` argument to its `one` method. This allows an attacker to execute arbitrary shell commands on the system. Exploitation is straightforward given control over the specific input parameter.
Affected Software
Technical Details
The macaddress package is susceptible to command injection because it directly incorporates the iface argument into a shell command without proper sanitization or escaping. When an attacker can control the value of the iface argument passed to the one method, they can inject malicious shell commands. These commands are then executed by the underlying operating system with the privileges of the running application. For example, by inserting shell metacharacters such as semicolons (;), backticks (`), or pipes (|) followed by arbitrary commands within the iface parameter, an attacker can bypass the intended functionality and execute arbitrary code.
What is the Impact of CVE-2018-13797?
Successful exploitation may allow attackers to execute arbitrary commands on the underlying operating system, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2018-13797?
Exploitation of this command injection vulnerability is simple, provided the attacker can control the iface argument of the one method. There are typically no authentication or privilege requirements explicitly stated, implying that if an application passes user-controlled input to this argument, an unauthenticated attacker could potentially exploit it. Exploitation is usually local if the application processes internal input, but could be remote if the iface argument comes from a network request. The main prerequisite is control over the iface argument. Risk factors that increase exploitation likelihood include any application that directly uses the macaddress package with unsanitized user-supplied input for the iface parameter, allowing for easy injection of malicious commands.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| dsp-testing | Link | PoC for CVE-2018-13797 |
What are the Available Fixes for CVE-2018-13797?
About the Fix from Resolved Security
This patch mitigates the command injection vulnerability CVE-2018-13797 by replacing the use of exec (which invokes a shell and can interpret input as commands) with execFile, and by correctly separating command arguments to avoid concatenating user-controlled data. This prevents attackers from injecting arbitrary shell commands via crafted interface names, ensuring that only legitimate system commands are executed.
Available Upgrade Options
- macaddress
- <0.2.9 → Upgrade to 0.2.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-pp57-mqmh-44h7
- https://news.ycombinator.com/item?id=17283394
- https://github.com/scravy/node-macaddress/releases/tag/0.2.9
- https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332
- https://www.npmjs.com/advisories/654
- https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332
- https://github.com/advisories/GHSA-pp57-mqmh-44h7
- https://hackerone.com/reports/319467
- https://github.com/scravy/node-macaddress/releases/tag/0.2.9
- https://github.com/scravy/node-macaddress
What are Similar Vulnerabilities to CVE-2018-13797?
Similar Vulnerabilities: CVE-2021-39148 , CVE-2021-41221 , CVE-2021-3807 , CVE-2021-23377 , CVE-2021-23378
