Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-28397 PoC — Js2Py 安全漏洞

Source
https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape
Associated Vulnerability
Title:Js2Py 安全漏洞 (CVE-2024-28397)
Description:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
Description
CVE-2024-28397: js2py sandbox escape, bypass pyimport restriction.
Readme
## Introduction

[中文](./README_zh.md)

`js2py` is a popular python package that can evaluate javascript code inside python interpreter. It is used by various web scrapers to parse javscript code on the website.

There exist a vulnerability in the implementation of a global variable inside `js2py`, allowing attacker obtaining a reference to a python object in the js2py environment, thus enabling attacker to escape js environment and execute arbitrary commands on the host.

Normally user would call `js2py.disable_pyimport()` to stop javascript code escaping the `js2py` environment. But with this vulnerability attacker can evade this restriction and execute any command on the host.

The threat actor can host a website containing a malicious js file or send a malicious script via HTTP API for victim to parse. By doing that, the actor can commit remote code execution on the host by executing any shell command on the target.

## Details of the vulnerability

- Version number of the affected component:
  - latest js2py (<=0.74) that runs under python 3
- affected products:
  - [pyload/pyload](https://github.com/pyload/pyload)
  - [VeNoMouS/cloudscraper](https://github.com/VeNoMouS/cloudscraper) (use js2py as a optional 'js interpreter')
  - [dipu-bd/lightnovel-crawler](https://github.com/dipu-bd/lightnovel-crawler)
- The steps to reproduce:
  - install python3 under 3.12, currently `js2py` don't support python3.12.
  - Run `pip install js2py` to install `js2py` and execute `poc.py`, which would try to execute `head -n 1 /etc/passwd; calc; gnome-calculator; kcalc;` on the host.
  - If the vulnerability exists the script should print `Success! the vulnerability exists...` or pop up calculator.

## Fix

Currently official fix is unavailable, user can use `fix.py` to dynamically patch js2py or use patch.txt to fix the source code.

## Others

I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.
File Snapshot

 [4.0K]  /data/pocs/28175f42d1147a3a35100320360e7272dc855220
├── [ 96K]  affected_version_test.txt
├── [ 464]  fix.py
├── [ 402]  patch.txt
├── [1.2K]  poc.py
├── [2.0K]  README.md
├── [1.6K]  README_zh.md
└── [   6]  requirements.txt

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.