Sandbox breakout can result in distant code execution, researchers warn
vm2’s GitHub page describes the library as “a sandbox that may run untrusted code with whitelisted Node’s built-in modules. Securely!”
Nonetheless, CISPA Helmholtz Heart for Info Safety, a cybersecurity analysis group in Germany, discovered that the library is open to prototype pollution attacks.
A proof-of-concept (PoC) on Snyk reveals how a couple of strains of code can exploit the vulnerability in vm2 to hold out a prototype air pollution and RCE assault on the host.
Whereas the bug has been filed as ‘prototype air pollution’, Cristian-Alexandru Staicu, one of many researchers who helped uncover and report the bug, instructed The Day by day Swig that a greater title could be “sandbox breakout”.
“Within the PoC revealed by Snyk, we present each a prototype air pollution payload and an arbitrary code execution. They’re each the results of sandbox breakout,” Staicu stated. “vm2 is meant to forestall entry to the worldwide object/privileged operations (e.g., require), and we present how an attacker may get round this safety management.”
Whereas the vulnerability doesn’t present root entry to the host system, it provides full entry to the Node.js API, one thing vm2 is making an attempt to limit, Staicu defined.
In March, they reported a sandbox breakout bug in isolated-vm, one other sandbox, which allowed attackers to acquire a reference to the ‘perform’ object of the Node.js context.
They’ve discovered related bugs in no less than three different sandbox libraries, Staicu stated, although he couldn’t share particulars because the disclosure course of with the related builders stays ongoing and patches are but to be launched.
YOU MAY ALSO LIKE Historic scientific notation bug foils WAF defenses