Systeminformation Command Injection Vulnerability in WifiNetworks Function

A command injection vulnerability has been identified in the Systeminformation library for Node.js, specifically in versions prior to 5.30.8. The issue arises in the wifiNetworks() function, where an unsanitized network interface parameter in the retry code path allows for the execution of arbitrary OS commands. When the initial scan returns no results, a setTimeout retry calls the getWifiNetworkListIw() function with the original unsanitized iface value. This value is then passed directly to execSync() to execute a command, potentially leading to unauthorized command execution with the privileges of the Node.js process.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, with the executed commands running under the privileges of the Node.js process.

Reproduction

To reproduce this vulnerability, install the Systeminformation library version 5.30.7. Then, call the wifiNetworks() function with a user-controlled network interface parameter, such as 'eth0; id'. The first call will sanitize the input, but if the results are empty, the retry mechanism will execute the unsanitized iface value, including any injected commands.

Remediation

Users are advised to upgrade to Systeminformation version 5.30.8 or later, where this vulnerability has been fixed.