https://safirsoft.com NPM package was very weak with 3 million weekly downloads

An untrusted JavaScript configuration file can execute arbitrary code.

The popular "pac-Resolutionver" NPM package fixes a major flaw in Remote Code Execution (RCE).

The pac-Resolutionver package receives more than 3 million downloads per week, expanding the scope of this vulnerability by relying on open source Node.js applications. Pac-Resolution presents itself as a module that accepts JavaScript proxy configuration files and creates a function for your application that maps out specific areas of proxy usage.

For Proxy or No Proxy

This week, developer Team Fairy revealed a major flaw in a pac fixer that could enable threat actors on a local network to execute arbitrary code in a Node processing. js file whenever it wants an HTTP request.

While adding proxy support to your HTTP toolkit, Berry started checking the pac solution code and encountered a security issue. This vulnerability follows CVE-2021-23406, and is related to how Unity handles proxy autoconfiguration (PAC) files. PAC files contain JavaScript code that defines the proxy configuration - which network requests should go through the proxy and which ones should exit directly. For example, in a PAC file, network administrators can specify an explicit network proxy through which all traffic is routed and referenced to exempt domains:

function FindProxyForURL(url, host) { // Send all requests *.example directly without proxy: if (dnsDomainIs(host, '.example.com')) { return 'DIRECT'; } // send any other request via this proxy: return 'PROXY proxy.example.com:8080'; p

In the example above, network requests "example.com" bypass the proxy server, while the rest of the traffic is routed through a proxy server. Originally introduced as part of Netscape Navigator 2.0 in 1996, the PAC standard is still relevant and widely used today. For example, the Web Proxy Autodiscover Protocol (WAPD) uses DNS and/or DHCP services to place PAC files on a network and import the proxy configuration into an application. However, as proxy settings increase in size, the JavaScript code in a PAC file can become more complex and is ideally designed to run in a virtual environment (VM). To RCE

And here the problem begins.

For example, an NPM-related package called Pac-Proxy-Agent, developed by the same author and downloading over 2 million downloads per week, supports a PAC file for Node applications. Provided by .js. Pac-Proxy-Agent does this by entering the URL into the PAC file, retrieving the file, then acting as an HTTP representative for Node.js, and managing outgoing requests for your application. But Pac-Proxy-Agent cannot properly document the PAC documents because it uses the weak pac parser, which relies heavily on the "dissolver" to generate the performance of the PAC.

Degenerator is another package that helps the author to change the required code into a sandbox function using the "VM" module Node.js. But the VM module was never designed to be used as a security mechanism, something that is explicitly mentioned in the Node.js documentation. Thus, the output of the degenerate agent - when used by a series of packages such as pac-Resolutioner, Pac-Proxy-Agent and proxy-agent - poses a security risk. "The vm module is not a security mechanism. Don't use it to execute untrusted code," Berry said in a blog post, referring to a disclaimer in the Node docs. "This is an easy bug - this is a small script (to be honest, it should be the title of the page and next to every method) and MongoDB did exactly the same in 2019, with worse consequences." Separately, there is a long list of easy ways to get to the original texture and completely get out of sandbox... The code inside Sandbox allows you to do basically anything it likes on your system. "

Advertising

With this, Perry demonstrated code that abuses code to show how an attacker could exit a virtual machine: https://safirsoft.com Zoom <<>" Done - This is all it takes to get out of the VM sandbox. If you can use a PAC file as your config for a soft target, you can run the code on their machine. js application, and :vars, config files, remote config endpoints, command line arguments) from an untrusted source

A remote attacker, in any of these scenarios, could, Configuring the malicious PAC address and executing the required code on the computer whenever an HTTP request is made using the proxy configuration. 0 simply involves increasing the apiary version to 3.0.1."

Berry thanks Snyk for his developer support during the vulnerability detection sync process.

Affected developers should upgrade to version 5.0.0 or higher to fix the issue. their applications.

NPM package was very weak with 3 million weekly downloads
npm-package-was-very-weak-with-3-million-weekly.html

https://safirsoft.com Elan Musk says SpaceX Starlink will be out of beta next month

Elan Musk says SpaceX Starlink will be out of beta next month

With 600,000 orders, SpaceX has increased container production (hopefully) to meet demand.

The Starlink SpaceX satellite bandwidth service wi...

https://safirsoft.com $3M Supply Chain Under Attack by Crypto Startup

$3M Supply Chain Under Attack by Crypto Startup

The MISO SushiSwap launch page has been hacked by a malicious GitHub commit. SushiSwap is a decentralized, community-based financial (DeFi) platform t...
https://safirsoft.com Telegram is emerging as a new network of darkness for cybercriminals

Telegram is emerging as a new network of darkness for cybercriminals

More and more hackers are sharing their information in encrypted messaging apps.

Telegram has expanded as a hub for cybercriminals seeking to...

https://safirsoft.com Anonymous leaks 1 gigabyte of data from Epik, web host Gab and Parler

Anonymous leaks 1 gigabyte of data from Epik, web host Gab and Parler

Hackers attacked Epic just days after the Texas Republican Party website was demolished over the abortion law. Wings locations The stolen data was pos...
https://safirsoft.com Travis CI flaw reveals secrets of thousands of open source projects

Travis CI flaw reveals secrets of thousands of open source projects

Developers are angry at Travis CI's highly embarrassing "security bulletin". Travis CI is a software testing solution used by over 900,000 open source...
https://safirsoft.com Apple Fixes iMessage for the Day Exploited by Pegasus Spyware

Apple Fixes iMessage for the Day Exploited by Pegasus Spyware

The zero click defect has been exploited by the NSO since at least February 2021. The "Zero Click, Zero Day" vulnerability has been actively exploited...