Array elements left uninitialized in Array.prototype.slice() for primitive this values.

[l0kihardt]

env

ubuntu 18.04
njs 0feca92
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
built with ASAN on

bug

> (1..__proto__.length = '1', Array.prototype.slice.call(1, 0, 2)).toString()
ASAN:SIGSEGV
=================================================================
==13918==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000407181 bp 0x7ffdf2511450 sp 0x7ffdf2511430 T0)
    #0 0x407180 in nxt_lvlhsh_find nxt/nxt_lvlhsh.c:181
    #1 0x4479b7 in njs_object_property njs/njs_object_property.c:757
    #2 0x4210c2 in njs_primitive_value njs/njs_vm.c:2987
    #3 0x4206ec in njs_vmcode_string_argument njs/njs_vm.c:2864
    #4 0x41473f in njs_vmcode_interpreter njs/njs_vm.c:159
    #5 0x412c4e in njs_vm_start njs/njs.c:594
    #6 0x404a75 in njs_process_script njs/njs_shell.c:771
    #7 0x40387b in njs_interactive_shell njs/njs_shell.c:501
    #8 0x402ad1 in main njs/njs_shell.c:271

[VBart]

njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution.

[l0kihardt]

emmmm, but i think this may cause at least cpde execution, if u can control the js it executed.Maybe LPE?

…

---Original--- From: "Valentin V. Bartenev"<notifications@github.com> Date: Wed, Jul 3, 2019 15:53 PM To: "nginx/njs"<njs@noreply.github.com>; Cc: "Author"<author@noreply.github.com>;"lokihardt"<nine.twelve@foxmail.com>; Subject: Re: [nginx/njs] Logic problems happen in the nxt_lvlhsh.c (#188) njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[xeioex]

@l0kihardt

njs is used for nginx configuration and is not an application server. njs only executes js code from a static file which is a part of nginx config file (which must be trusted source anyway).

[VBart]

@l0kihardt If you can control njs script on a server, then you already have a root access and can control the whole server without any bugs needed.

[l0kihardt]

Yeah sure, I use ubuntu 18.04, and did something like this ``` export CC=clang export CFLAGS=-fsanitize=address ./configure make ```

…

------------------ 原始邮件 ------------------ 发件人: "Dmitry Volyntsev"<notifications@github.com>; 发送时间: 2019年7月3日(星期三) 下午4:07 收件人: "nginx/njs"<njs@noreply.github.com>; 抄送: "3087136937"<nine.twelve@foxmail.com>;"Mention"<mention@noreply.github.com>; 主题: Re: [nginx/njs] Logic problems happen in the nxt_lvlhsh.c (#188) @l0kihardt please, also share the way you run your POC. Cannot reproduce it (with ASAN enabled). $ cat github188.js var _export = 1; _export.__proto__.length= _export.__proto__.sum = [1].slice Error(_export.sum((_export.__proto__.length= [1].toString(RegExp(Error()))) ===('loading exception'))) //export default _export; _export; console.log(_export) $ ./build/njs github188.js 1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.