Command Injection

Vulnerability

Overview

CVE-2020-7786 is a command injection vulnerability in the macfromip npm package, affecting all versions. The injection points are located at lines 66 and 96 in macfromip.js, where user-supplied input is passed unsanitized to system commands [1][2].

Exploitation

An attacker can exploit this by providing a specially crafted IP address string containing shell metacharacters (e.g., &, ;, |) to the getMacInLinux or getMacInWin32 functions. The provided proof-of-concept demonstrates that passing "& touch JHU" as the IP argument results in execution of the injected command [2]. No authentication or special privileges are required beyond the ability to call the vulnerable functions.

Impact

Successful exploitation allows arbitrary command execution on the host system with the privileges of the Node.js process. This can lead to full system compromise, data exfiltration, or further lateral movement within the network.

Mitigation

As of the publication date, there is no fixed version of macfromip. The package appears to be unmaintained. Users are advised to avoid using this package or to implement strict input validation and sanitization as a workaround [1][2].