Listen to this Post
The vulnerability arises when Shescape is configured to use a shell whose path is a symbolic link pointing to another symbolic link (a link to a link). Shescape attempts to identify the shell type by resolving the provided path to determine appropriate escaping rules. However, when the path is a two-level symlink, the resolution logic can misidentify the shell or fail to correctly apply the escaping required for the actual shell that will be invoked. This confusion leads to insufficient escaping of user-controlled input passed to the shell. An attacker can craft a payload that, although escaped by Shescape, is interpreted by the real shell in an unintended way. In the proof of concept, the payload “a=:~” is escaped and passed to exec. Under normal escaping, this should be harmless, but due to the misidentification, the shell expands the `~` to the user’s home directory, exposing it in the output. The root cause is that Shescape’s internal shell detection does not fully resolve symlinks and may treat the intermediate link as a shell, applying incorrect quoting rules. This bypass can lead to information disclosure or potentially more severe injection if the shell interprets other special characters. The issue affects all versions before 2.1.9. The patch corrects symlink resolution and ensures the correct shell type is always used for escaping.
Platform: Shescape
Version: before 2.1.9
Vulnerability: Symlink Bypass
Severity: Medium
date: 2023-08-03
Prediction: Patched 2023-08-03
What Undercode Say:
Analytics:
CVSS 3.1 score 5.3 (Medium). Affects all versions <2.1.9. Exploitation requires attacker-controlled input passed to a shell where the shell path is a two-level symlink. The vulnerability was discovered and patched in August 2023.
Bash commands and codes:
Create symlink chain for demonstration ln -s /bin/bash ./csh ln -s ./csh ./link Run a Node.js script to reproduce the issue (requires [email protected]) cat > poc.js << 'EOF' import fs from "node:fs"; import { exec } from "node:child_process"; import { Shescape } from "shescape"; import which from "which"; const shell = which.sync("bash"); const linkToShell = "./csh"; const linkToLink = "./link"; fs.symlinkSync(shell, linkToShell); fs.symlinkSync(linkToShell, linkToLink); const execOptions = { shell: linkToLink }; const shescape = new Shescape({ shell: execOptions.shell }); const userInput = "a=:~"; exec(<code>echo Hello ${shescape.escape(userInput)}</code>, execOptions, (error, stdout) => { console.log(stdout); // Output includes home directory }); EOF npm install [email protected] node poc.js
Exploit:
The attacker supplies input containing shell metacharacters (e.g., ~) that are not properly escaped. In the context of a vulnerable Shescape, the shell expands `~` to the user’s home directory, revealing sensitive path information. More complex payloads could potentially execute arbitrary commands if the shell misinterprets other characters.
Protection from this CVE:
- Upgrade to [email protected] or later: `npm install shescape@latest`
– Avoid using shell paths that are symbolic links pointing to another link. - If upgrading is not possible, do not use a shell at all, or ensure the shell path is a direct, non-symlinked executable.
Impact:
Information disclosure (e.g., home directory path). In some environments, this could be a stepping stone for further attacks. No direct remote code execution is demonstrated, but the bypass of escaping mechanisms could increase the attack surface.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

