Getty Photos
Widespread NPM package deal “pac-resolver” has fastened a extreme distant code execution (RCE) flaw.
The pac-resolver package deal receives over 3 million weekly downloads, extending this vulnerability to Node.js functions counting on the open supply dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration information and generates a operate on your app to map sure domains to make use of a proxy.
To proxy or to not proxy
This week, developer Tim Perry disclosed a high-severity flaw in pac-resolver that may allow menace actors on the native community to run arbitrary code inside your Node.js course of each time it makes an attempt to make an HTTP request.
Whereas including proxy assist to his HTTP Toolkit, Perry started auditing the pac-resolver code and got here throughout the safety problem. Tracked as CVE-2021-23406, the vulnerability has to do with how Proxy Auto-Config (PAC) information are processed by the module. PAC information encompass JavaScript code specifying a proxy configuration—which community requests ought to go over a proxy and which ought to exit straight. For instance, in a PAC file, community directors can explicitly specify a community proxy via which all site visitors needs to be routed and present domains which might be exempted from the requirement:
operate FindProxyForURL(url, host) {
// Ship all *.instance requests straight with no proxy:
if (dnsDomainIs(host, '.instance.com')) {
return 'DIRECT';
}
// Ship each different request through this proxy:
return 'PROXY proxy.instance.com:8080';
}
Within the instance above, community requests to “instance.com” will bypass the proxy, whereas the remainder of the site visitors is instructed to undergo a proxy server.
Initially launched as a part of Netscape Navigator 2.0 in 1996, the PAC standard stays related and in widespread use right this moment. For instance, Net Proxy Auto-Discovery Protocol (WAPD) makes use of DNS and/or DHCP providers to find PAC information on a community and import the proxy configuration into an utility. Nonetheless, as proxy configurations turn into bigger, the JavaScript code in a PAC file can get more and more advanced and is ideally designed to run in a virtualized setting (VM).
Few strains of JavaScript can bypass VM, result in RCE
And that is the place the issue begins.
For instance, a associated NPM package deal referred to as Pac-Proxy-Agent, which is made by the identical creator and has over 2 million weekly downloads, gives PAC file assist to Node.js functions. Pac-Proxy-Agent does so by taking within the URL to a PAC file, retrieving the file, after which performing as a Node.js HTTP agent dealing with outgoing requests on your utility. However Pac-Proxy-Agent fails to sandbox PAC information appropriately as a result of it makes use of the weak pac-resolver module, which additional depends on “degenerator” to construct the PAC operate.
Degenerator is yet one more package deal by the same author that helps rework arbitrary code right into a sandboxed operate utilizing Node.js’ “VM” module. However the VM module was by no means designed for use as a safety mechanism, one thing that’s explicitly spelled out in Node.js docs. Subsequently, the output from degenerator—when utilized by a sequence of packages like pac-resolver, Pac-Proxy-Agent, and proxy-agent—poses a safety danger.
Referring to a disclaimer in Node docs saying, “vm module just isn’t a safety mechanism. Don’t use it to run untrusted code,” Perry said in a blog post, “That is a straightforward mistake to make—it is small textual content (frankly, it needs to be the headline on that web page and subsequent to each methodology).” Perry additional alleges that MongoDB additionally did “the exact same thing too in 2019, with even worse penalties.” Nonetheless, the CVE Perry hyperlinks to entails a third-party software named mongo-express. MongoDB confirmed to Ars that they don’t have any affiliation with the package deal in query.
Perry defined additional that “this creates a giant downside. Whereas VM does attempt to create an remoted setting in a separate context, there is a lengthy record of simple methods to entry the unique context and escape of the sandbox totally… permitting code contained in the ‘sandbox’ to mainly do something it likes in your system.”
With that, Perry shared a proof-of-concept exploit code demonstrating how an attacker can escape of the VM:
“That is it—that is all that is required to interrupt out of the VM module sandbox. If you can also make a weak goal use this PAC file as their proxy configuration, then you may run arbitrary code on their machine,” he defined.
The vulnerability severely impacts those that use pac-resolver variations prior to five.0.0, even transitively of their Node.js utility, and:
- Explicitly use PAC information for proxy configuration or
- Learn and use the working system proxy configuration in Node.js on programs with WPAD enabled or
- Use proxy configuration (
envvars, config information, distant config endpoints, command-line arguments) from an untrusted supply
A distant attacker can, in any of those situations, configure a malicious PAC URL and run arbitrary code on a pc any time an HTTP request is made utilizing the proxy configuration.
The repair for pac-resolver in model 5.0.0 consists of merely bumping up the degenerator model to three.0.1. The core repair went into degenerator itself and implements a stronger sandboxing mechanism through the vm2 module to “forestall privilege escalation of untrusted code.”
Perry thanked Snyk for supporting the developer all through the coordinated vulnerability disclosure course of.
Affected builders ought to improve to pac-resolver model 5.0.0 or above to repair this extreme vulnerability of their functions.
