Description

CVE-2023-29017 is a critical security vulnerability that affects the VM2 library, a Node.js module that provides a sandboxed environment for running untrusted code. The vulnerability allowed a threat actor to bypass the sandbox protections of VM2 and gain remote code execution rights on the host running the sandbox. This was possible because VM2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. The vulnerability was patched in version 3.9.15 of VM2.

Impact

This vulnerability could potentially impact any user or organization that uses the VM2 library to run untrusted code. If a threat actor were to exploit this vulnerability, they could execute arbitrary code on the host running the sandbox, potentially leading to data theft, system compromise, or other malicious activities. While the average internet user may not directly use the VM2 library, many web applications and services rely on Node.js and its associated modules, making this vulnerability a potential threat to a wide range of users.

Exploit

To better understand how this vulnerability could be exploited, let's take a closer look at the provided source code:

Error.prepareStackTrace = (e, frames) => {
    frames.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); 
};

(async ()=>{}).constructor('return process')()

This code defines a function that modifies the stack trace generated when an error is thrown, and then executes a command on the command line. Specifically, the Error.prepareStackTrace function replaces the stack trace with a function that executes the touch command, which creates a new file called "flag". The second line of code uses the constructor property of an empty async function to access the global process object, and then uses the mainModule property of the process object to access the require function of the main module. Finally, it uses the execSync function of the child_process module to execute the touch command.

This code is an example of how a threat actor could exploit the vulnerability in VM2 to execute arbitrary code on the host running the sandbox. By passing a host object to Error.prepareStackTrace, the threat actor could modify the stack trace to execute any code they want, including code that could compromise the system.

Mitigation

To protect against this vulnerability, users of the VM2 library should update to version 3.9.15 or later, which includes a patch for the vulnerability. Additionally, users should follow best practices for running untrusted code, such as restricting access to sensitive information and limiting the amount of CPU time or memory that the virtual machine can use. It's also important to keep all software and libraries up to date to ensure that known vulnerabilities are patched as soon as possible.

In conclusion, CVE-2023-29017 is a critical security vulnerability that highlights the importance of properly handling untrusted code. By following best practices and keeping software up to date, users can help protect themselves against this and other similar vulnerabilities.

References