Home Cyber Crime Node.js sandboxes are open to prototype pollution

Node.js sandboxes are open to prototype pollution


Sandbox breakout can result in distant code execution, researchers warn

Node.js sandboxes are open to prototype pollution

A bug in vm2, a sandbox for testing untrusted JavaScript code, makes it potential for malicious events to bypass the library’s safety controls and perform remote code execution (RCE) assaults, a gaggle of researchers have discovered.

vm2’s GitHub page describes the library as “a sandbox that may run untrusted code with whitelisted Node’s built-in modules. Securely!”

Nonetheless, CISPA Helmholtz Heart for Info Safety, a cybersecurity analysis group in Germany, discovered that the library is open to prototype pollution attacks.

Prototype air pollution is a sort of vulnerability in JavaScript and different object-based languages that enables attackers to run arbitrary code by dynamically injecting properties into delicate objects.

Sandbox breakout

A proof-of-concept (PoC) on Snyk reveals how a couple of strains of code can exploit the vulnerability in vm2 to hold out a prototype air pollution and RCE assault on the host.

Whereas the bug has been filed as ‘prototype air pollution’, Cristian-Alexandru Staicu, one of many researchers who helped uncover and report the bug, instructed The Day by day Swig that a greater title could be “sandbox breakout”.

RELATED Prototype pollution vulnerabilities rife among high-traffic websites, study finds

“Within the PoC revealed by Snyk, we present each a prototype air pollution payload and an arbitrary code execution. They’re each the results of sandbox breakout,” Staicu stated. “vm2 is meant to forestall entry to the worldwide object/privileged operations (e.g., require), and we present how an attacker may get round this safety management.”

Whereas the vulnerability doesn’t present root entry to the host system, it provides full entry to the Node.js API, one thing vm2 is making an attempt to limit, Staicu defined.

Recurring bug

The workforce discovered the bug throughout a months-long venture investigating vulnerabilities in JavaScript sandboxes.

In March, they reported a sandbox breakout bug in isolated-vm, one other sandbox, which allowed attackers to acquire a reference to the ‘perform’ object of the Node.js context.

They’ve discovered related bugs in no less than three different sandbox libraries, Staicu stated, although he couldn’t share particulars because the disclosure course of with the related builders stays ongoing and patches are but to be launched.

“Our outcomes to date present that sandboxing JavaScript code with ES6 proxies is tough,” he stated. “We discovered breakouts in many of the techniques we analyzed, so one have to be very cautious when executing malicious code utilizing these libraries.”

YOU MAY ALSO LIKE Historic scientific notation bug foils WAF defenses

Source link