Summary
A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.
Details
In lib/wifi.js, the wifiNetworks() function sanitizes the iface parameter on the initial call (line 437). However, when the initial scan returns empty results, a setTimeout retry (lines 440-441) calls getWifiNetworkListIw(iface) with the original unsanitized iface value, which is passed directly to execSync('iwlist ${iface} scan').
PoC
- Install
systeminformation@5.30.7
- Call
si.wifiNetworks('eth0; id')
- The first call sanitizes input, but if results are empty, the retry executes:
iwlist eth0; id scan
Impact
Remote Code Execution (RCE). Any application passing user-controlled input to si.wifiNetworks() is vulnerable to arbitrary command execution with the privileges of the Node.js process.
Summary
A command injection vulnerability in the
wifiNetworks()function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.Details
In
lib/wifi.js, thewifiNetworks()function sanitizes theifaceparameter on the initial call (line 437). However, when the initial scan returns empty results, asetTimeoutretry (lines 440-441) callsgetWifiNetworkListIw(iface)with the original unsanitizedifacevalue, which is passed directly toexecSync('iwlist ${iface} scan').PoC
systeminformation@5.30.7si.wifiNetworks('eth0; id')iwlist eth0; id scanImpact
Remote Code Execution (RCE). Any application passing user-controlled input to
si.wifiNetworks()is vulnerable to arbitrary command execution with the privileges of the Node.js process.