GHSA-p8gp-2w28-mhwg

Summary

A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages.

Details

Product: Signal K set-system-time plugin
Repository: https://github.com/SignalK/set-system-time

File: index.js, lines 60-71

      stream.onValue(function (datetime) {
        var child
        if (process.platform == 'win32') {
          console.error("Set-system-time supports only linux-like os's")
        } else {
          if( ! plugin.useNetworkTime(options) ){
            const useSudo = typeof options.sudo === 'undefined' || options.sudo
            const setDate = `date --iso-8601 -u -s "${datetime}"`  // ← VULNERABLE
            const command = useSudo
              ? `if sudo -n date &> /dev/null ; then sudo ${setDate} ; else exit 3 ; fi`
              : setDate
            child = require('child_process').spawn('sh', ['-c', command])  // ← EXECUTES SHELL

The vulnerability has three components:

1. Unsanitized Input: The datetime value from navigation.datetime Signal K path is directly interpolated into a shell command without validation
2. Shell Execution: The command is executed via spawn('sh', ['-c', command]), which interprets shell metacharacters
3. Sudo Privileges: The plugin can execute with root privileges if sudo is misconfigured, instructions to limit passwordless sudo to the /bin/date binary helps mitigate this but RCE can still be achieved with the privileges of the user that installed it.

PoC

Exploitation Requirements

• Signal K server with security enabled, if disabled credentials not required
• Valid user credentials with...