The team found the bug during a months-long project investigating vulnerabilities in JavaScript sandboxes. While the vulnerability does not provide root access to the host device, it gives complete access to the Node.js API, something vm2 is trying to restrict, Staicu explained. “vm2 is supposed to prevent access to the global object/privileged operations (e.g., require), and we show how an attacker might get around this security control.” They are both the result of sandbox breakout,” Staicu said. “In the PoC published by Snyk, we show both a prototype pollution payload and an arbitrary code execution. RELATED Prototype pollution vulnerabilities rife among high-traffic websites, study finds While the bug has been filed as ‘prototype pollution’, Cristian-Alexandru Staicu, one of the researchers who helped discover and report the bug, told The Daily Swig that a better title would be “sandbox breakout”. Sandbox breakoutĪ proof-of-concept (PoC) on Snyk shows how a few lines of code can exploit the vulnerability in vm2 to carry out a prototype pollution and RCE attack on the host. Prototype pollution is a kind of vulnerability in JavaScript and other object-based languages that allows attackers to run arbitrary code by dynamically injecting properties into sensitive objects. However, CISPA Helmholtz Center for Information Security, a cybersecurity research group in Germany, found that the library is open to prototype pollution attacks. Vm2’s GitHub page describes the library as “a sandbox that can run untrusted code with whitelisted Node's built-in modules. Sandbox breakout can lead to remote code execution, researchers warnĪ bug in vm2, a sandbox for testing untrusted JavaScript code, makes it possible for malicious parties to circumvent the library’s security controls and carry out remote code execution (RCE) attacks, a group of researchers have found.
0 kommentar(er)
