Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution

Impact

A __proto__ pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.

Summary

A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.

When executing in Node.js, due to use of the prettier module, defining a parser property on __proto__ with a path to a JS module on disk causes a require of the value which can lead to arbitrary code execution.

Patch

A fix has been released in [email protected].

Mitigation

• Upgrade synchrony to v2.4.4
• Launch node with the –disable-proto=delete or –disable-proto=throw flag

Proof of Concept

Craft a malicious input file named poc.js as follows:

// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())

// Synchrony exploit PoC
{
  var __proto__ = { parser: 'poc.js' }
}

Then, run synchrony poc.js from the same directory as the malicious file.

Credits

This vulnerability was found and disclosed by William Khem-Marquez.