Headline
CVE-2020-19695: Array elements left uninitialized in Array.prototype.slice() for primitive this values. · Issue #188 · nginx/njs
Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parameter of the njs/njs_vm.c function.
env
ubuntu 18.04
njs 0feca92
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
built with ASAN on
bug
> (1…__proto__.length = '1’, Array.prototype.slice.call(1, 0, 2)).toString() ASAN:SIGSEGV ================================================================= ==13918==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000407181 bp 0x7ffdf2511450 sp 0x7ffdf2511430 T0) #0 0x407180 in nxt_lvlhsh_find nxt/nxt_lvlhsh.c:181 #1 0x4479b7 in njs_object_property njs/njs_object_property.c:757 #2 0x4210c2 in njs_primitive_value njs/njs_vm.c:2987 #3 0x4206ec in njs_vmcode_string_argument njs/njs_vm.c:2864 #4 0x41473f in njs_vmcode_interpreter njs/njs_vm.c:159 #5 0x412c4e in njs_vm_start njs/njs.c:594 #6 0x404a75 in njs_process_script njs/njs_shell.c:771 #7 0x40387b in njs_interactive_shell njs/njs_shell.c:501 #8 0x402ad1 in main njs/njs_shell.c:271
njs scripts have no remote access, so the attacker can’t control them and thus it’s not a remote code execution.
emmmm, but i think this may cause at least cpde execution, if u can control the js it executed.Maybe LPE?
…
—Original— From: “Valentin V. Bartenev”[email protected] Date: Wed, Jul 3, 2019 15:53 PM To: “nginx/njs”[email protected]; Cc: “Author”[email protected];"lokihardt"[email protected]; Subject: Re: [nginx/njs] Logic problems happen in the nxt_lvlhsh.c (#188) njs scripts have no remote access, so the attacker can’t control them and thus it’s not a remote code execution. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
@l0kihardt
njs is used for nginx configuration and is not an application server. njs only executes js code from a static file which is a part of nginx config file (which must be trusted source anyway).
@l0kihardt If you can control njs script on a server, then you already have a root access and can control the whole server without any bugs needed.
xeioex changed the title Logic problems happen in the nxt_lvlhsh.c Array elements left uninitialized in Array.prototype.slice() for primitive this values.
Jul 3, 2019
Yeah sure, I use ubuntu 18.04, and did something like this ``` export CC=clang export CFLAGS=-fsanitize=address ./configure make ```
…
------------------ 原始邮件 ------------------ 发件人: “Dmitry Volyntsev”[email protected]; 发送时间: 2019年7月3日(星期三) 下午4:07 收件人: “nginx/njs”[email protected]; 抄送: “3087136937”[email protected];"Mention"[email protected]; 主题: Re: [nginx/njs] Logic problems happen in the nxt_lvlhsh.c (#188) @l0kihardt please, also share the way you run your POC. Cannot reproduce it (with ASAN enabled). $ cat github188.js var _export = 1; _export.__proto__.length= _export.__proto__.sum = [1].slice Error(_export.sum((_export.__proto__.length= [1].toString(RegExp(Error()))) ===(‘loading exception’))) //export default _export; _export; console.log(_export) $ ./build/njs github188.js 1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.