The popular “pac-resolver” NPM package fixed a serious remote code execution (RCE) flaw.
Agent or non-agent
This week, developer Tim perry revealed a high severity flaw in pac-resolver that may allow threat actors on the local network to execute arbitrary code in your Node.js process whenever it attempts to make an HTTP request.
function FindProxyForURL(url, host) // Send all *.example requests directly with no proxy: if (dnsDomainIs(host, '.example.com')) return 'DIRECT'; // Send every other request via this proxy: return 'PROXY proxy.example.com:8080';
In the example above, network requests to “example.com” will bypass the proxy, while the rest of the traffic must go through a proxy server.
And this is where the problem begins.
For example, an associated NPM package called Pac-Proxy-Agent, which is created by the same author and has over 2 million weekly downloads, provides PAC file support to Node.js applications. Pac-Proxy-Agent does this by taking the URL of a PAC file, retrieving the file, and then acting as a Node.js HTTP agent handling outgoing requests for your application. But Pac-Proxy-Agent fails to sandbox PAC files properly because it uses the vulnerable pac-resolver module, which additionally relies on “degenerator” to build the PAC function.
Degenerator is another package from the same author that allows transforming arbitrary code into a sandbox function using the “VM” module of Node.js. But the VM module was never intended to be used as a security mechanism, which is explicitly stated in the Node.js documents. Therefore, the output of degenerator, when used by a chain of packages like pac-resolver, pac-proxy-agent, and proxy-agent, poses a security risk.
Referring to a disclaimer in Node’s documentation saying, “The vm module is not a security mechanism. Do not use it to run untrusted code,” Perry said in a blog post , “This is an easy mistake to make – it’s a little text (frankly, it should be the title on this page and next to each method).” Perry further alleges that MongoDB also did “exactly the same thing in 2019 as well, with even worse consequences”. However, the CVE Perry link to involves a third-party tool named mongo-express. MongoDB confirmed to Ars that it has no affiliation with the package in question.
Perry further explained that “this creates a big problem. While VM tries to create an isolated environment in a separate context, there is a long list of easy ways to get to the original context and completely get out of the bin. sand … allowing the code inside the ‘sandbox’ to do whatever it wants on your system. “
With that, Perry shared proof of concept exploit code demonstrating how an attacker can exit the VM:
“That’s it, that’s all that’s needed to get out of the VM module sandbox. If you can get a vulnerable target to use this PAC file as a proxy configuration, then you can run code. arbitrary on his machine, ”he explained.
The vulnerability seriously affects those who use versions of pac-resolver prior to 5.0.0, even transitively in their Node.js application, and:
- Explicitly use PAC files for proxy configuration or
- Read and use the operating system proxy configuration in Node.js on systems with WPAD enabled or
- Use proxy configuration (
envvars, config files, remote config endpoints, command line arguments) from untrusted source
A remote attacker can, in any of these scenarios, configure a malicious PAC URL and execute arbitrary code on a computer every time an HTTP request is made using the proxy configuration.
The fix for pac-resolver in version 5.0.0 is simply to upgrade the degenerator version to 3.0.1. The main fix went into the degenerator itself and implements a more powerful sandboxing mechanism through the vm2 module to “prevent privilege escalation of untrusted code”.
Perry thanked Snyk for supporting the developer throughout the coordinated vulnerability disclosure process.
Affected developers should upgrade to pac-resolver version 5.0.0 or higher to address this severe vulnerability in their applications.