NPM bundle with 3 million weekly downloads had a extreme vulnerability

Getty Photographs

Common NPM bundle “pac-resolver” has mounted a extreme distant code execution (RCE) flaw.

The pac-resolver bundle receives over 3 million weekly downloads, extending this vulnerability to Node.js functions counting on the open supply dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration information and generates a perform to your app to map sure domains to make use of a proxy.

To proxy or to not proxy

This week, developer Tim Perry disclosed a high-severity flaw in pac-resolver that may allow risk actors on the native community to run arbitrary code inside your Node.js course of each time it makes an attempt to make an HTTP request.

Whereas including proxy assist to his HTTP Toolkit, Perry started auditing the pac-resolver code and got here throughout the safety situation. Tracked as CVE-2021-23406, the vulnerability has to do with how Proxy Auto-Config (PAC) information are processed by the module. PAC information include JavaScript code specifying a proxy configuration—which community requests ought to go over a proxy and which ought to exit immediately. For instance, in a PAC file, community directors can explicitly specify a community proxy via which all site visitors ought to be routed and present domains which are exempted from the requirement:

perform FindProxyForURL(url, host) {
// Ship all *.instance requests immediately with no proxy:
if (dnsDomainIs(host, '.instance.com')) {
return 'DIRECT';
}

// Ship each different request by way of this proxy:
return 'PROXY proxy.instance.com:8080';
}

Within the instance above, community requests to “instance.com” will bypass the proxy, whereas the remainder of the site visitors is instructed to undergo a proxy server.

Initially launched as a part of Netscape Navigator 2.0 in 1996, the PAC customary stays related and in widespread use right this moment. For instance, Net Proxy Auto-Discovery Protocol (WAPD) makes use of DNS and/or DHCP companies to find PAC information on a community and import the proxy configuration into an utility. Nonetheless, as proxy configurations develop into bigger, the JavaScript code in a PAC file can get more and more complicated and is ideally designed to run in a virtualized setting (VM).

Few traces of JavaScript can bypass VM, result in RCE

And that is the place the issue begins.

For instance, a associated NPM bundle referred to as Pac-Proxy-Agent, which is made by the identical writer and has over 2 million weekly downloads, offers PAC file assist to Node.js functions. Pac-Proxy-Agent does so by taking within the URL to a PAC file, retrieving the file, after which performing as a Node.js HTTP agent dealing with outgoing requests to your utility. However Pac-Proxy-Agent fails to sandbox PAC information accurately as a result of it makes use of the susceptible pac-resolver module, which additional depends on “degenerator” to construct the PAC perform.

Degenerator is yet one more bundle by the identical writer that helps rework arbitrary code right into a sandboxed perform utilizing Node.js’ “VM” module. However the VM module was by no means designed for use as a safety mechanism, one thing that’s explicitly spelled out in Node.js docs. Due to this fact, the output from degenerator—when utilized by a sequence of packages like pac-resolver, Pac-Proxy-Agent, and proxy-agent—poses a safety danger.

Referring to a disclaimer in Node docs saying, “vm module isn’t a safety mechanism. Don’t use it to run untrusted code,” Perry mentioned in a weblog submit, “That is a simple mistake to make—it is small textual content (frankly, it ought to be the headline on that web page and subsequent to each technique).” Perry additional alleges that MongoDB additionally did “the very same factor too in 2019, with even worse penalties.” Nonetheless, the CVE Perry hyperlinks to entails a third-party software named mongo-express. MongoDB confirmed to Ars that they don’t have any affiliation with the bundle in query.

Perry defined additional that “this creates an enormous drawback. Whereas VM does attempt to create an remoted setting in a separate context, there is a lengthy record of simple methods to entry the unique context and escape of the sandbox completely… permitting code contained in the ‘sandbox’ to principally do something it likes in your system.”

With that, Perry shared a proof-of-concept exploit code demonstrating how an attacker can escape of the VM:

“That is it—that is all that is required to interrupt out of the VM module sandbox. If you may make a susceptible goal use this PAC file as their proxy configuration, then you’ll be able to run arbitrary code on their machine,” he defined.

The vulnerability critically impacts those that use pac-resolver variations prior to five.0.0, even transitively of their Node.js utility, and:

  • Explicitly use PAC information for proxy configuration or
  • Learn and use the working system proxy configuration in Node.js on techniques with WPAD enabled or
  • Use proxy configuration (env vars, config information, distant config endpoints, command-line arguments) from an untrusted supply

A distant attacker can, in any of those situations, configure a malicious PAC URL and run arbitrary code on a pc any time an HTTP request is made utilizing the proxy configuration.

The repair for pac-resolver in model 5.0.0 consists of merely bumping up the degenerator model to three.0.1. The core repair went into degenerator itself and implements a stronger sandboxing mechanism by way of the vm2 module to “stop privilege escalation of untrusted code.”

Perry thanked Snyk for supporting the developer all through the coordinated vulnerability disclosure course of.

Affected builders ought to improve to pac-resolver model 5.0.0 or above to repair this extreme vulnerability of their functions.

Source link

Next Post

Apple’s A15 Chipset Will Reportedly Solely Value 3% Extra To Make

Tue Sep 7 , 2021
A few weeks in the past, it was reported that Apple’s chipset producer, TSMC, was planning on elevating its worth by as a lot as 20%. This led to issues and hypothesis that this worth enhance would then be handed all the way down to shoppers, resulting in a dearer […]