来源

关联漏洞

描述

This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution.

介绍

# CVE-2024-28397-command-execution-poc
This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution.


#  JSON-Parsers & RCE Exploit PoC

##  Overview
This repository contains a **proof-of-concept (PoC)** payload demonstrating a **sandbox escape** through `js2py.disable_pyimport()` a vulnerability in `js2py` versions up to **0.74**.

When an application **evaluates or parses user-supplied JSON/JavaScript unsafely**, this vulnerability allows an attacker to break out of the JavaScript sandbox, reach into Python internals, locate `subprocess.Popen`, and execute arbitrary commands.

---

##  History & Context
- **CVE-2024-28397** was publicly disclosed on **June 20, 2024**, affecting many Python environments using `js2py` to parse JavaScript securely.
- The flaw resides in incomplete sandboxing within `js2py.disable_pyimport()`, and makes it possible to bypass intended import restrictions via global object access.
- The vulnerability carries a **CVSS v3.1 score of 5.3 / Medium** (attack complexity is low; privilege required is low; results in code execution).
- It has since appeared in vulnerability advisories from NVD, GitHub Advisory DB, Snyk, and other major vulnerability platforms.

---

##  Exploit Overview
1. The vulnerable application **parses user-controlled JavaScript or JSON**.
2. The PoC uses a JavaScript snippet to traverse Python object graph:
   - It accesses `__class__`, `__base__`, and `__subclasses__()` to locate `subprocess.Popen`.
   - It executes a shell command and captures the output.
   - The final result is safely returned as a string (JSON-safe).
   - 
##  References
- [GitHub] Marven11 – *CVE-2024-28397: js2py sandbox escape*, PoC & patch https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape  
- [NVD] CVE-2024-28397 entry (CVSS 3.1 = 5.3)  https://nvd.nist.gov/vuln/detail/CVE-2024-28397
- [GitHub Advisory] js2py RCE via `disable_pyimport()` sandbox escape  https://github.com/advisories/GHSA-h95x-26f3-88hr
- [Wiz] Technical deep-dive and mitigation guidance  https://www.wiz.io/vulnerability-database/cve/cve-2024-28397
- [MITRE] CVE registry summary and external links  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28397
- [Rapid7] Metasploit module leveraging this vulnerability in Pyload  http://www.rapid7.com/blog/post/2024/11/22/metasploit-weekly-wrap-up-11-22-2024

文件快照

 [4.0K]  /data/pocs/03927065ecb06dae380d082573be9dd76c1e1230
├── [ 793]  payload.js
└── [2.5K]  README.md

0 directories, 2 files

备注