Marven11 / CVE-2024-28397-js2py-Sandbox-Escape

CVE-2024-28397: js2py sandbox escape, bypass pyimport restriction.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Introduction

中文 Analysis (Chinese)

js2py is a popular python package that can evaluate javascript code inside python interpreter. It is used by various web scrapers to parse javascript code on the website.

There exists a vulnerability in the implementation of a global variable inside js2py, allowing an attacker obtaining a reference to a python object in the js2py environment, thus enabling the attacker to escape JS environment and execute arbitrary commands on the host.

Normally, a user would call js2py.disable_pyimport() to stop JavaScript code from escaping the js2py environment. But with this vulnerability, an attacker can evade this restriction and execute any command on the target host.

The threat actor can host a website containing a malicious JavaScript file or send a malicious script via HTTP API for victim to parse. By doing that, the actor can commit remote code execution on the host by executing any shell command on the target.

Details of the vulnerability

  • Version number of the affected component:
    • latest js2py (<=0.74) that runs under python 3
  • affected products:
  • The steps to reproduce:
    • install python3 under 3.12, currently js2py don't support python3.12.
    • Run pip install js2py to install js2py and execute poc.py, which would try to execute head -n 1 /etc/passwd; calc; gnome-calculator; kcalc; on the host.
    • If the vulnerability exists the script should print Success! the vulnerability exists... or pop up calculator.

Fix

Currently, an official fix is unavailable, users can use fix.py to dynamically patch js2py or use patch.txt to fix the source code.

Others

I found this vulnerability in Feburary, and submitted a PR to the official repo. But after that, the PR was forgotten and after four months have passed, I decide to release the PoC and the fix now.

About

CVE-2024-28397: js2py sandbox escape, bypass pyimport restriction.


Languages

Language:Python 100.0%