Remote Code Execution bug found in Popular Node.js changelog library (I go through the code)
Key Takeaways
A remote code execution bug was found in the standard-version package, a popular Node.js changelog library, allowing users to input arbitrary strings that are executed as code, and the GitHub security team has identified the vulnerability, which can be exploited for remote code execution using Git tag commands with arbitrary input from users.
Full Transcript
what's going on guys we have a beautiful remote code execution bug in node.js well correction it's in onenote.js package i guess you can call it a node.js bug because it's a package right it's called change log library so in this video i want to go through the bug i'm going to show you the actual code because it's an open source code so i'm going to show the code and how does it happen and uh all that jazz that's a very interesting uh it's gonna be an interesting video guys so stay tuned so it turns out yesterday july 20th 2020 uh the github security team found a remote code execution bug and if you're not familiar an rce bug is basically when you allow the user to input some arbitrary string and that string goes into your libraries and packages and end up into a place where it shouldn't end up and the system accidentally tries to execute that string as an actual code so it end up in this case particular case bash script right so like rm-rf dot that's a bash script and you can run it and if you're running node.js as root tough luck man all right so that's a remote execution bug right and uh it's uh this is the article i'm gonna reference it below it goes into the node.js it doesn't know it's this this package change log it's being used by 20 000 project and and it is basically the change control for your application i never used it but from what reading it allows you to version your code to swap releases to say okay this code is a release one this is a release 1.1 the 1.2 so obviously it's a very popular feature right and here's the thing guys this is this is the package right standard version i don't know if you if you're using it just just be aware i believe even if you're using it you're still in the clear unless you're using that particular property that we're going to talk about that causes the remote execution code and what this code what this version application does it just allow you to version your code so it's like okay hey this is version one release one and some comments and this is the part where it gets interesting right so you can just install this and start using it and you can you can version your code right and here's here's how it you can this is the security vulnerability report that doesn't uh is the version and everything right and here's how you can use it this particular property is what causes the the uh the injection attack and essentially what this property does is allow you to add messages to the release that you just stacked just like exactly like get tag this is exactly think of it like exactly like get tag dash m so dash m allows you to add basically the the tagging message right so whatever you put in this text is gonna go into dash m into this that's what it is right and as a result what those smart people and github did it's like okay let's let's inject a string with double tick mark like that and add a bash script so they added blub but they added tick mark and then they this is an actual touch touches a batch command right where you can you can create a file this is just to prove the concept but you might as well just do rm-rf right dot that just kills everything in your uh current directory and then when they run this node.js test.js that exploit file was created as a result of running this code so pretty bad right guys so that's essentially what this bug is and if you're using standard version and if you're utilizing the release commit message right and you somehow have this string fed by some other unsanitized input from the user then you need to worry if you don't have these three i wouldn't call this a high security i think it's labeled as high but i wouldn't call it high to be honest so what happened guys what happened let me move myself a little bit here this is this is what happened right git tag it just tags the current branch or release with that message that you put on but look at the code here i'm gonna go to the code actually now right oh i can move myself back up look at the code guys this is the code i went back to the issue where they introduced release commit message format and look at the code it's so beautiful so basically what the code does is it technically runs the git command with a commit and that's actually there are two places when you commit you can pass a dash m and you they pass in that format commit message with the release message the whatever the string that we have they pass it in and apparently the run execute command however they executed interpret this as two commands the git and when we added the tick that executed a completely another command right so if you had another command in this case like git touch or or bash or rm that will essentially execute it because look at that this is just executing command right command prompt get command and uh it's very interesting we have two places where this is executed right git tag and and get execute git commit so yeah very interesting guys isn't it so that's that's the basically the video she's talking about that vulnerability but i want you to also think about the places i i i definitely have run into places where i ask the user to take an input and i shove it down uh some some some sort of execution engine without sanitizing right because you can't possibly as a backhand engineer think of all these possible things you need to be really well trained and versed by all these attacks right so i hope these guys just give you like a flavor of what things that we need to deal with as backend engineers as security engineers in general and it is a very interesting bug uh again i don't think it's a big deal i don't think it's a it's a it's a huge security risk i don't believe it was fixed to be honest yet as far as we're speaking here right looking at this security uh secure there is oh there there's a thing here the security policies are just a security policy what is that um there is a flag but i don't think it's it was just reported yesterday i believe and i jumped into the reporting immediately right after i learned about it so very very very interesting bug and 20 000 project you uses this and you would if we look at that how when was this feature added let's be honest it was added may 2019 how many people started using this release commit message format since then that date of of those 20 000 products very few and of those few that uses those uh property i believe i believe very few will add some sort of a arbitrary input for the user to actually uh execute to actually just pass in whatever the user inputs like when i say user here i mean client to the node.js and it could be express application could be from the user itself it could be from normal things so it is really really hard to to execute this remote uh code uh vulnerability i believe right especially because we don't we don't get allow the user to enter their own message right uh especially when you create a version that's a that's a significant release right that's a significant task creating a release creating a version it's a big thing we cannot just create a version out of the car you don't let the users do that right so again it's a it's a good find and will allow us will uh will definitely allow us to pay attention to our code right i'm not talking about changelog here code that we write as backend engineers to kind of take just just uh let us sync man this is this is big stuff man this is cool stuff so yeah i don't i don't think it's a big i think it's it's a low at best meh medium at best but definitely not high all right guys what do you think about this bug and do you think it's high really risky did i miss something where people can actually uh take exploit they exploit this uh a remote code execution bug to execute bad stuff or no it could be like low or medium to you let me know in the comment section below and uh you guys see in the next one you guys say awesome check out the other content in this show i don't only talk about back-end news i talk about any other thing back-end uh engineering and security stuff like that stuff that particularly interests me check out this content in the channel so much stuff see you in the next one goodbye
Original Description
Github security team has found a remote execution code in Node.JS library changelog. In this video I describe the bug and go through the code
Resources
https://portswigger.net/daily-swig/github-security-team-finds-remote-code-execution-bug-in-popular-node-js-changelog-library
https://github.com/conventional-changelog/standard-version/pull/351/files
https://github.com/advisories/GHSA-7xcx-6wjh-7xp2
🏭 Backend Engineering Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQUNnO4p00ua_C5mKTfldiYT
💾 Database Engineering Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQXjD0HOzN7P2tgzu7scWpl2
🛰 Network Engineering Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQUBSgBXilKhRMJ1ACqr7pTr
🏰 Load Balancing and Proxies Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQVMeBmWI2AhxULWEeo7AaMC
🐘 Postgres Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQWGrOqslniFlRcwxyY94cjj
🚢Docker
https://www.youtube.com/playlist?list=PLQnljOFTspQWsD-rakNw1C20c1JI8UR1r
🧮 Programming Pattern Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQV1emqxKbcP5esAf4zpqWpe
🛡 Web Security Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQU3YDMRSMvzflh_qXoz9zfv
🦠 HTTP Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQU6zO0drAYHFtkkyfNJw1IO
🐍 Python Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQU_M83ARz8mDdr4LThzkBKX
🔆 Javascript Videos
https://www.youtube.com/playlist?list=PLQnljOFTspQWab0g3W6ZaDM6_Buh20EWM
👾Discord Server https://discord.gg/CsFbFce
Become a Member
https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join
Support me on PayPal
https://bit.ly/33ENps4
Become a Patreon
https://www.patreon.com/join/hnasr?
Stay Awesome,
Hussein
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Hussein Nasser · Hussein Nasser · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
Channel Update - New Book, New Job, New Videos
Hussein Nasser
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
Javascript by Example - The Vook
Hussein Nasser
Vlog - Keep your servers close and your database closer
Hussein Nasser
Vlog - Client/Server Programming Languages
Hussein Nasser
Javascript By Example L1E01 - Getting Started
Hussein Nasser
Persistent Connections (Pros and Cons)
Hussein Nasser
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
Happy new Year from IGeometry!
Hussein Nasser
Synchronous v. Asynchronous
Hussein Nasser
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
Relational Database Atomicity Explained By Example
Hussein Nasser
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
What Comes First, User Experience or Software Architecture?
Hussein Nasser
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
Advice for New Software Engineers and Developers
Hussein Nasser
Why JSON is so Popular?
Hussein Nasser
Building Scalable Software - SLA, HS, VS
Hussein Nasser
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
Learn By Doing.
Hussein Nasser
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
My Story
Hussein Nasser
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
Can User Experience Help Build Better Rest API?
Hussein Nasser
Reverse engineering Instagram in flight mode
Hussein Nasser
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
The evolution from virtual machines to containers
Hussein Nasser
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
Canary Deployment (Explained by Example)
Hussein Nasser
No Excuses
Hussein Nasser
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
What is an Asynchronous service?
Hussein Nasser
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
Nodejs Express "Hello, World"
Hussein Nasser
Reverse Engineering Instagram feed
Hussein Nasser
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Breaking the Clipboard: Why Copy-Pasting Across Different OS is Still Painful
Dev.to · SimpleDrop-Free&Secure File Sharing
Beyond console.log: Advanced Debugging Workflows That Will Save You Hours
Medium · JavaScript
cgo Overhead Dropped 30%. When Should You Actually Care?
Medium · Programming
Why Everyone is Wrong About Website Development?
Medium · Programming
🎓
Tutor Explanation
DeepCamp AI