A crucial command injection vulnerability within the in style systeminformation npm bundle has just lately been disclosed, exposing thousands and thousands of programs to potential distant code execution (RCE) and privilege escalation assaults.
The vulnerability, assigned CVE-2024-56334, highlights the significance of safe coding practices when coping with untrusted consumer enter.
The vulnerability resides within the getWindowsIEEE8021x perform of the systeminformation bundle, particularly affecting variations ≤5.23.6.
The difficulty stems from insufficient sanitization of the Wi-Fi SSID subject, which is handed straight as a parameter to Home windows’ cmd.exe. This permits attackers to inject malicious payloads that may be executed as working system instructions.
2024 MITRE ATT&CK Analysis Outcomes for SMEs & MSPs -> Obtain Free Information
Particulars of the Vulnerability
In line with the GitHub experiences, the flaw was found in how the SSID is obtained and processed.
The SSID is retrieved utilizing the netsh wlan present interface command and subsequently handed to cmd.exe /d /s /c “netsh wlan present profiles”.
The SSID subject just isn’t sanitized earlier than being handed to the command, permitting attackers to craft malicious SSID names that may execute arbitrary instructions on the sufferer’s system.
Proof of Idea (PoC)
The next steps show the vulnerability:
- Crafting a Malicious SSID: An attacker can set the SSID of a hotspot to incorporate a command injection payload, equivalent to:
- a” | ping /t 127.0.0.1 &
- a” | %SystemDrivepercentaa.exe &
- Connecting to the Malicious Community: The sufferer connects to the malicious SSID utilizing a susceptible system.
- Executing the Exploit: The attacker executes the susceptible perform by way of the bundle:
const si = require('systeminformation');si.networkInterfaces((web) => { console.log(web) });This exploit allows the execution of arbitrary instructions, equivalent to working executables or creating an indefinite ping loop.
Affected and Patched Variations
Listed here are the affected and patched variations of the systeminformation bundle introduced in a desk format for higher readability:
| Model Standing | Model | Particulars |
| Affected Variations | ≤ 5.23.6 | Weak to the command injection flaw. |
| Patched Model | 5.23.7 | Vulnerability fastened; sanitization carried out. |
The influence of the vulnerability is extreme and poses important safety dangers. Exploiting this flaw can allow distant code execution (RCE) or native privilege escalation, relying on how the systeminformation bundle is used inside an software.
By injecting malicious instructions via a specifically crafted Wi-Fi SSID, attackers can execute arbitrary instructions, doubtlessly gaining unauthorized entry to programs, exfiltrating delicate knowledge, or disrupting operations.
The vulnerability compromises the confidentiality, integrity, and availability of the affected programs, with a CVSS v3 base rating of 10.0 (Excessive) indicating the crucial nature of the problem. Builders should act swiftly to patch their programs and forestall potential exploitation.
The vulnerability was reported by safety researcher @xAiluros, who documented the problem and the proof of idea.
The writer of the bundle, sebhildebrandt, rapidly addressed the problem by releasing a patched model. Builders counting on the systeminformation bundle ought to act promptly to safe their programs in opposition to this crucial flaw.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Attempt for Free