关联漏洞
标题:
Js2Py 安全漏洞
(CVE-2024-28397)
描述:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
描述
CVE-2024-28397: js2py sandbox escape, bypass pyimport restriction.
介绍
## Introduction
[中文](./README_zh.md)
`js2py` is a popular python package that can evaluate javascript code inside python interpreter. It is used by various web scrapers to parse javscript code on the website.
There exist a vulnerability in the implementation of a global variable inside `js2py`, allowing attacker obtaining a reference to a python object in the js2py environment, thus enabling attacker to escape js environment and execute arbitrary commands on the host.
Normally user would call `js2py.disable_pyimport()` to stop javascript code escaping the `js2py` environment. But with this vulnerability attacker can evade this restriction and execute any command on the host.
The threat actor can host a website containing a malicious js file or send a malicious script via HTTP API for victim to parse. By doing that, the actor can commit remote code execution on the host by executing any shell command on the target.
## Details of the vulnerability
- Version number of the affected component:
- latest js2py (<=0.74) that runs under python 3
- affected products:
- [pyload/pyload](https://github.com/pyload/pyload)
- [VeNoMouS/cloudscraper](https://github.com/VeNoMouS/cloudscraper) (use js2py as a optional 'js interpreter')
- [dipu-bd/lightnovel-crawler](https://github.com/dipu-bd/lightnovel-crawler)
- The steps to reproduce:
- install python3 under 3.12, currently `js2py` don't support python3.12.
- Run `pip install js2py` to install `js2py` and execute `poc.py`, which would try to execute `head -n 1 /etc/passwd; calc; gnome-calculator; kcalc;` on the host.
- If the vulnerability exists the script should print `Success! the vulnerability exists...` or pop up calculator.
## Fix
Currently official fix is unavailable, user can use `fix.py` to dynamically patch js2py or use patch.txt to fix the source code.
## Others
I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.
文件快照
[4.0K] /data/pocs/28175f42d1147a3a35100320360e7272dc855220
├── [ 96K] affected_version_test.txt
├── [ 464] fix.py
├── [ 402] patch.txt
├── [1.2K] poc.py
├── [2.0K] README.md
├── [1.6K] README_zh.md
└── [ 6] requirements.txt
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。