Impact
A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
Summary
A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.
Patch
A fix has been released in deobfuscator@2.4.4.
Mitigation
Proof of Concept
Craft a malicious input file named poc.js as follows:
// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())
// Synchrony exploit PoC
{
var __proto__ = { parser: 'poc.js' }
}Then, run synchrony poc.js from the same directory as the malicious file.
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
References
SteakEnthusiast Reporter
Impact
A
__proto__pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.Summary
A
__proto__pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.When executing in Node.js, due to use of the
prettiermodule, defining aparserproperty on__proto__with a path to a JS module on disk causes arequireof the value which can lead to arbitrary code execution.Patch
A fix has been released in
deobfuscator@2.4.4.Mitigation
Proof of Concept
Craft a malicious input file named
poc.jsas follows:Then, run
synchrony poc.jsfrom the same directory as the malicious file.Credits
This vulnerability was found and disclosed by William Khem-Marquez.
References