Описание
Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
Impact
A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
Summary
A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.
Patch
A fix has been released in deobfuscator@2.4.4.
Mitigation
- Upgrade synchrony to v2.4.4
- Launch node with the --disable-proto=delete or --disable-proto=throw flag
Proof of Concept
Craft a malicious input file named poc.js as follows:
Then, run synchrony poc.js from the same directory as the malicious file.
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
Ссылки
Пакеты
deobfuscator
>= 2.0.1, < 2.4.4
2.4.4
Связанные уязвимости
Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags