A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages.
Product: Signal K set-system-time plugin
Repository: https://github.com/SignalK/set-system-time
File: index.js, lines 60-71
stream.onValue(function (datetime) {
var child
if (process.platform == 'win32') {
console.error("Set-system-time supports only linux-like os's")
} else {
if( ! plugin.useNetworkTime(options) ){
const useSudo = typeof options.sudo === 'undefined' || options.sudo
const setDate = `date --iso-8601 -u -s "${datetime}"` // ← VULNERABLE
const command = useSudo
? `if sudo -n date &> /dev/null ; then sudo ${setDate} ; else exit 3 ; fi`
: setDate
child = require('child_process').spawn('sh', ['-c', command]) // ← EXECUTES SHELL
The vulnerability has three components:
datetime value from navigation.datetime Signal K path is directly interpolated into a shell command without validationspawn('sh', ['-c', command]), which interprets shell metacharacterssudo is misconfigured, instructions to limit passwordless sudo to the /bin/date binary helps mitigate this but RCE can still be achieved with the privileges of the user that installed it.1.5.0Exploitability
AV:NAC:LPR:LUI:NScope
S:CImpact
C:HI:HA:H9.9/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H