Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-28397 PoC — Js2Py 安全漏洞

Source
https://github.com/CYBER-WARRIOR-SEC/CVE-2024-28397-js2py-Sandbox-Escape
Associated Vulnerability
Title:Js2Py 安全漏洞 (CVE-2024-28397)
Description:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
Readme
## Perkenalan

[中文](./README_zh.md)

`js2py is a popular python package that can evaluate javascript code inside the python interpreter. It is used by various web scrapers to parse javscript code on websites.

There is a vulnerability in the implementation of global variables within js2py, which could allow an attacker to obtain references to python objects in the js2py environment, thereby allowing the attacker to exit the js environment and execute arbitrary commands on the host.

Typically the user will call js2py.disable_pyimport() to stop the javascript code leaving the js2py environment. But with this vulnerability, an attacker can circumvent this restriction and execute any command on the host.

Threat actors can host websites that contain malicious js files or send malicious scripts via HTTP API for victims to decipher them. By doing so, the actor can perform remote code execution on the host by executing any shell command on the target.

## Detail kerentanan

-Nomor versi komponen yang terpengaruh:
-js2py terbaru (<=0.74) yang berjalan di bawah python 3
- affected products:
  - [pyload/pyload](https://github.com/pyload/pyload)
  - [VeNoMouS/cloudscraper](https://github.com/VeNoMouS/cloudscraper) (use js2py as a optional 'js interpreter')
  - [dipu-bd/lightnovel-crawler](https://github.com/dipu-bd/lightnovel-crawler)
- The steps to reproduce:
  - install python3 under 3.12, currently `js2py` don't support python3.12.
  - Run `pip install js2py` to install `js2py` and execute `poc.py`, which would try to execute `head -n 1 /etc/passwd; calc; gnome-calculator; kcalc;` on the host.
  - If the vulnerability exists the script should print `Success! the vulnerability exists...` or pop up calculator.

## Fix

Currently official fix is unavailable, user can use `fix.py` to dynamically patch js2py or use patch.txt to fix the source code.

## Others

I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.
File Snapshot

 [4.0K]  /data/pocs/e8c53097bd560ba723fc41c67afcfa2b1863b4b6
├── [ 96K]  affected_version_test.txt
├── [ 464]  fix.py
├── [ 402]  patch.txt
├── [1.2K]  poc.py
├── [2.0K]  README.md
├── [1.6K]  README_zh.md
└── [   6]  requirements.txt

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.