Lucene search

K
hackeroneTniessenH1:2091137
HistoryJul 31, 2023 - 11:00 p.m.

Internet Bug Bounty: OpenSSL engines can be used to bypass and/or disable the Node.js permission model

2023-07-3123:00:54
tniessen
hackerone.com
$2540
17
internet bug bounty
openssl engines
node.js permission model
arbitrary code
vulnerability

0.001 Low

EPSS

Percentile

21.1%

Summary: Node.js 20 allows loading arbitrary OpenSSL engines even when the permission model is enabled, which can bypass and/or disable the permission model.

Description: The permission model implementation permits loading arbitrary native code, e.g., through crypto.setEngine(), even when native addons are disallowed, which is the default configuration. Not only can this code bypass the permission system, it can also disable the permission system entirely, effectively allowing JavaScript code to escalate its own privileges.

Steps To Reproduce:

  1. Enable the permission model.
  2. Call, for example, crypto.setEngine() with a compatible OpenSSL engine.
  3. Arbitrary code execution occurs, unaffected by the permission model.

Impact

The permission model is supposed to restrict the capabilities of running code. However, exploiting this vulnerability allows an attacker to easily bypass the permission model entirely. The OpenSSL engine can, for example, disable the permission model in the host process, and subsequently executed JavaScript code will be unaffected by the previously enabled permission model. This allows running JavaScript code to effectively elevate its own permissions.