Skip to content
This repository has been archived by the owner on Mar 10, 2024. It is now read-only.

fix: update package.json to patch 9.8 CVSS Critical vulnerability #841

Merged
merged 1 commit into from
May 16, 2023

Conversation

0x4248
Copy link
Contributor

@0x4248 0x4248 commented May 16, 2023

@vercel
Copy link

vercel bot commented May 16, 2023

@awesomelewis2007 is attempting to deploy a commit to the Supaglue Team on Vercel.

A member of the Team first needs to authorize it.

@0x4248
Copy link
Contributor Author

0x4248 commented May 16, 2023

Notes from leesh3288 From here

Sandbox Escape in vm2@3.9.15

Summary

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

const {VM} = require("vm2");
const vm = new VM();

const code = `
aVM2_INTERNAL_TMPNAME = {};
function stack() {
   new Error().stack;
   stack();
}
try {
   stack();
} catch (a$tmpname) {
   a$tmpname.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch pwned');
}
`

console.log(vm.run(code));

Analysis

As host exceptions may leak host objects into the sandbox, code is preprocessed with transformer() (lib/transformer.js:49) in order to instrument the code with sanitizer function calls (lib/transformer.js:108).

Identifier name of catch clause is interpolated into insertions as code (lib/transformer.js:137) to sanitize caught exception, possibly a host exception.

This is subsequently post-processed to replace $tmpname with the string value in tmpname (originally VM2_INTERNAL_TMPNAME) for ObjectPattern case >sanitization code (lib/transformer.js:189), which in turn allows an attacker to
bypass handleException() with identifiers containing the string $tmpname.

An attacker may then use any method to raise a host exception (test/vm.js:1082) for
example, via internal prepareStackTrace) and use it to access host Function constructor, escaping the sandbox and gaining arbitrary code execution in
host context.

Impact

Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Credits

Xion (SeungHyun Lee) of KAIST Hacking Lab

@asdfryan asdfryan changed the title Update package.json to patch 9.8 CVSS Critical vulnerability fix: update package.json to patch 9.8 CVSS Critical vulnerability May 16, 2023
@vercel
Copy link

vercel bot commented May 16, 2023

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
management-ui ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 16, 2023 5:48pm
supaglue-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 16, 2023 5:48pm

@lucasmarshall
Copy link
Contributor

Thank you for this pull request, @awesomelewis2007! We will land it as soon as CI succeeds. Disturbing that this was not caught by Dependabot, especially since the CVE is a month old...

@0x4248
Copy link
Contributor Author

0x4248 commented May 16, 2023

Thank you for this pull request, @awesomelewis2007! We will land it as soon as CI succeeds. Disturbing that this was not caught by Dependabot, especially since the CVE is a month old...

Yes im seeing quite a few repository's not fixing this CVE

@lucasmarshall lucasmarshall merged commit ab6ceaa into supaglue-labs:main May 16, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants