+ "details": "### Summary\nA Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing `navigation.datetime` values received via WebSocket delta messages.\n\n### Details\n**Product:** Signal K set-system-time plugin \n**Repository:** https://github.com/SignalK/set-system-time \n\nFile: `index.js`, lines 60-71\n\n```javascript\n stream.onValue(function (datetime) {\n var child\n if (process.platform == 'win32') {\n console.error(\"Set-system-time supports only linux-like os's\")\n } else {\n if( ! plugin.useNetworkTime(options) ){\n const useSudo = typeof options.sudo === 'undefined' || options.sudo\n const setDate = `date --iso-8601 -u -s \"${datetime}\"` // ← VULNERABLE\n const command = useSudo\n ? `if sudo -n date &> /dev/null ; then sudo ${setDate} ; else exit 3 ; fi`\n : setDate\n child = require('child_process').spawn('sh', ['-c', command]) // ← EXECUTES SHELL\n```\n\nThe vulnerability has three components:\n\n1. **Unsanitized Input**: The `datetime` value from `navigation.datetime` Signal K path is directly interpolated into a shell command without validation\n2. **Shell Execution**: The command is executed via `spawn('sh', ['-c', command])`, which interprets shell metacharacters\n3. **Sudo Privileges**: The plugin can execute with root privileges if `sudo` is misconfigured, instructions to limit passwordless sudo to the /bin/date binary helps mitigate this but RCE can still be achieved with the privileges of the user that installed it.\n\n### PoC\n#### Exploitation Requirements\n\n- Signal K server with security enabled, if disabled credentials not required\n- Valid user credentials with `readwrite` or `admin` permissions\n- set-system-time plugin installed and enabled\n- Signal K server installed on a Linux OS\n- Passwordless sudo configured, official instructions will do this for the `date` command which is enough to satisfy the if condition\n\n\n```Python\n\"\"\"\nRun provided POC:\n python3 poc.py --host signalkserver_IP -u username -p password\n\nPayload: Creates /tmp/signalk-RCE.txt to prove code execution\n\"\"\"\n```\n\n### Impact\nAn attacker that has write privileges either through security on the Signal K server being disabled or valid credentials with read/write permissions can execute arbitrary commands on the server with the privileges of the SignalK process or root if sudo is misconfigured. This enables complete system compromise.\n\n### Recommendations\n\n- Replace shell-based execution with child_process.execFile() so user-controlled input is passed as arguments rather than interpreted by a shell.\n\n- Validate that navigation.datetime conforms to an expected ISO-8601 format to improve robustness.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments