fix(deps): update dependency systeminformation to v5.23.8 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
systeminformation (source)	5.23.5 -> 5.23.8

GitHub Vulnerability Alerts

CVE-2024-56334

Summary

The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands.

Details

I have exploited this vulnerability in a Windows service using version 5.22.11 of the module, to escalate privileges (in an environment where I am authorized to do so). However, as far as I can see from the code, it is still present in master branch at time of writing, on line 403/404 of network.js.

The SSID is obtained from netsh wlan show interface ... in getWindowsWirelessIfaceSSID, and then passed to cmd.exe /d /s /c "netsh wlan show profiles ... in getWindowsIEEE8021x, without sanitization.

PoC

First, the command injection payload should be included in the connected Wi-Fi SSID. For example create hotspot on mobile phone or other laptop, set SSID to payload, connect to it with victim Windows system. Two example SSID's to demonstrate exploitation are below.

Demonstration to run ping command indefinitely:

a" | ping /t 127.0.0.1 &

Run executable with privileges of the user in which vulnerable function is executed. Chosen executable should should be placed in (assuming system drive is C): C:\a\a.exe.

a" | %SystemDrive%\a\a.exe &

Then, the vulnerable function can be executed on the victim system, for example, using:

const si = require('systeminformation');
si.networkInterfaces((net) => { console.log(net) });

Now the chosen command, PING.exe or a.exe will be run through the cmd.exe command line.

Impact

This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation.

---

Release Notes

sebhildebrandt/systeminformation (systeminformation)

v5.23.8

Compare Source

v5.23.6

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 46 workspace projects
 ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/packages/plugin-node/package.json

Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"

    Failure reason:
    specifiers in the lockfile ({"@ai16z/eliza":"workspace:*","@aws-sdk/client-s3":"^3.705.0","@aws-sdk/s3-request-presigner":"^3.705.0","@cliqz/adblocker-playwright":"1.34.0","@echogarden/espeak-ng-emscripten":"0.3.3","@echogarden/kissfft-wasm":"0.2.0","@echogarden/speex-resampler-wasm":"0.2.1","@huggingface/transformers":"3.0.2","@opendocsg/pdf2md":"0.1.32","@types/uuid":"10.0.0","alawmulaw":"6.0.0","bignumber":"1.1.0","bignumber.js":"9.1.2","capsolver-npm":"2.0.2","cldr-segmentation":"2.2.1","command-exists":"1.2.9","csv-writer":"1.6.0","echogarden":"2.0.7","espeak-ng":"1.0.2","ffmpeg-static":"5.2.0","fluent-ffmpeg":"2.1.3","formdata-node":"6.0.3","fs-extra":"11.2.0","gaxios":"6.7.1","gif-frames":"0.4.1","glob":"11.0.0","graceful-fs":"4.2.11","html-escaper":"3.0.3","html-to-text":"9.0.5","import-meta-resolve":"4.1.0","jieba-wasm":"2.2.0","json5":"2.2.3","kuromoji":"0.1.2","libsodium-wrappers":"0.7.15","multer":"1.4.5-lts.1","node-cache":"5.1.2","node-llama-cpp":"3.1.1","nodejs-whisper":"0.1.18","onnxruntime-node":"1.20.1","pdfjs-dist":"4.7.76","playwright":"1.48.2","pm2":"5.4.3","puppeteer-extra":"3.3.6","puppeteer-extra-plugin-capsolver":"2.0.1","sharp":"0.33.5","srt":"0.0.3","systeminformation":"5.23.5","tar":"7.4.3","tinyld":"1.3.4","uuid":"11.0.3","wav":"1.0.2","wav-encoder":"1.3.0","wavefile":"11.0.0","whatwg-url":"7.1.0","yargs":"17.7.2","youtube-dl-exec":"3.0.10","@types/node":"22.8.4","tsup":"8.3.5"}) don't match specs in package.json ({"onnxruntime-node":"1.20.1","whatwg-url":"7.1.0","@types/node":"22.8.4","tsup":"8.3.5","@ai16z/eliza":"workspace:*","@aws-sdk/client-s3":"^3.705.0","@aws-sdk/s3-request-presigner":"^3.705.0","@cliqz/adblocker-playwright":"1.34.0","@echogarden/espeak-ng-emscripten":"0.3.3","@echogarden/kissfft-wasm":"0.2.0","@echogarden/speex-resampler-wasm":"0.2.1","@huggingface/transformers":"3.0.2","@opendocsg/pdf2md":"0.1.32","@types/uuid":"10.0.0","alawmulaw":"6.0.0","bignumber":"1.1.0","bignumber.js":"9.1.2","capsolver-npm":"2.0.2","cldr-segmentation":"2.2.1","command-exists":"1.2.9","csv-writer":"1.6.0","echogarden":"2.0.7","espeak-ng":"1.0.2","ffmpeg-static":"5.2.0","fluent-ffmpeg":"2.1.3","formdata-node":"6.0.3","fs-extra":"11.2.0","gaxios":"6.7.1","gif-frames":"0.4.1","glob":"11.0.0","graceful-fs":"4.2.11","html-escaper":"3.0.3","html-to-text":"9.0.5","import-meta-resolve":"4.1.0","jieba-wasm":"2.2.0","json5":"2.2.3","kuromoji":"0.1.2","libsodium-wrappers":"0.7.15","multer":"1.4.5-lts.1","node-cache":"5.1.2","node-llama-cpp":"3.1.1","nodejs-whisper":"0.1.18","pdfjs-dist":"4.7.76","playwright":"1.48.2","pm2":"5.4.3","puppeteer-extra":"3.3.6","puppeteer-extra-plugin-capsolver":"2.0.1","sharp":"0.33.5","srt":"0.0.3","systeminformation":"5.23.8","tar":"7.4.3","tinyld":"1.3.4","uuid":"11.0.3","wav":"1.0.2","wav-encoder":"1.3.0","wavefile":"11.0.0","yargs":"17.7.2","youtube-dl-exec":"3.0.10"})

[shakkernerd]

Not necessary atm.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (5.23.8). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.