关联漏洞
标题:
Js2Py 安全漏洞
(CVE-2024-28397)
描述:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
介绍
## Perkenalan
[中文](./README_zh.md)
`js2py is a popular python package that can evaluate javascript code inside the python interpreter. It is used by various web scrapers to parse javscript code on websites.
There is a vulnerability in the implementation of global variables within js2py, which could allow an attacker to obtain references to python objects in the js2py environment, thereby allowing the attacker to exit the js environment and execute arbitrary commands on the host.
Typically the user will call js2py.disable_pyimport() to stop the javascript code leaving the js2py environment. But with this vulnerability, an attacker can circumvent this restriction and execute any command on the host.
Threat actors can host websites that contain malicious js files or send malicious scripts via HTTP API for victims to decipher them. By doing so, the actor can perform remote code execution on the host by executing any shell command on the target.
## Detail kerentanan
-Nomor versi komponen yang terpengaruh:
-js2py terbaru (<=0.74) yang berjalan di bawah python 3
- affected products:
- [pyload/pyload](https://github.com/pyload/pyload)
- [VeNoMouS/cloudscraper](https://github.com/VeNoMouS/cloudscraper) (use js2py as a optional 'js interpreter')
- [dipu-bd/lightnovel-crawler](https://github.com/dipu-bd/lightnovel-crawler)
- The steps to reproduce:
- install python3 under 3.12, currently `js2py` don't support python3.12.
- Run `pip install js2py` to install `js2py` and execute `poc.py`, which would try to execute `head -n 1 /etc/passwd; calc; gnome-calculator; kcalc;` on the host.
- If the vulnerability exists the script should print `Success! the vulnerability exists...` or pop up calculator.
## Fix
Currently official fix is unavailable, user can use `fix.py` to dynamically patch js2py or use patch.txt to fix the source code.
## Others
I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.
文件快照
[4.0K] /data/pocs/e8c53097bd560ba723fc41c67afcfa2b1863b4b6
├── [ 96K] affected_version_test.txt
├── [ 464] fix.py
├── [ 402] patch.txt
├── [1.2K] poc.py
├── [2.0K] README.md
├── [1.6K] README_zh.md
└── [ 6] requirements.txt
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。