Impact
A __proto__
pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
Summary
A __proto__
pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier
module, defining a parser
property on __proto__
with a path to a JS module on disk causes a require
of the value which can lead to arbitrary code execution.
Patch
A fix has been released in deobfuscator@2.4.4
.
Mitigation
Proof of Concept
Craft a malicious input file named poc.js
as follows:
// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())
// Synchrony exploit PoC
{
var __proto__ = { parser: 'poc.js' }
}
Then, run synchrony poc.js
from the same directory as the malicious file.
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
References
Impact
A
__proto__
pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.Summary
A
__proto__
pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.When executing in Node.js, due to use of the
prettier
module, defining aparser
property on__proto__
with a path to a JS module on disk causes arequire
of the value which can lead to arbitrary code execution.Patch
A fix has been released in
deobfuscator@2.4.4
.Mitigation
Proof of Concept
Craft a malicious input file named
poc.js
as follows:Then, run
synchrony poc.js
from the same directory as the malicious file.Credits
This vulnerability was found and disclosed by William Khem-Marquez.
References