CVE-2020-15362

Vulnerability

Overview

CVE-2020-15362 is a code injection vulnerability in wifiscanner.js, part of the thingsSDK WiFi Scanner version 1.0.1. The root cause is that the module constructs a command string by concatenating the binaryPath and args options without any sanitization, then passes it directly to Node.js child_process.exec(). This allows an attacker to control the command being executed.

Exploitation

The vulnerability can be exploited by providing malicious input via the options object. For example, an attacker can set the args option to include shell metacharacters like ; to execute additional commands, or set binaryPath to an arbitrary executable path. The GitHub issue [2] demonstrates two exploit payloads: one using args: ";/bin/touch /tmp/exploit.txt;#" and another using binaryPath: "/bin/touch" with args: "/tmp/exploit.txt". No authentication is required, and the attack can be mounted by any user who can pass options to the module.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host system with the privileges of the running Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within a network.

Mitigation

As of the publication date [1], there is no patched version available. The vendor did not provide a fix, and the module's repository appears unmaintained. Users are advised to sanitize any user-supplied input before passing it to the wifiscanner options, or to avoid using this module altogether. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.