The popular "pac-Resolutionver" NPM package fixes a major flaw in Remote Code Execution (RCE).
For Proxy or No Proxy
This week, developer Team Fairy revealed a major flaw in a pac fixer that could enable threat actors on a local network to execute arbitrary code in a Node processing. js file whenever it wants an HTTP request.
And here the problem begins.
For example, an NPM-related package called Pac-Proxy-Agent, developed by the same author and downloading over 2 million downloads per week, supports a PAC file for Node applications. Provided by .js. Pac-Proxy-Agent does this by entering the URL into the PAC file, retrieving the file, then acting as an HTTP representative for Node.js, and managing outgoing requests for your application. But Pac-Proxy-Agent cannot properly document the PAC documents because it uses the weak pac parser, which relies heavily on the "dissolver" to generate the performance of the PAC.
Degenerator is another package that helps the author to change the required code into a sandbox function using the "VM" module Node.js. But the VM module was never designed to be used as a security mechanism, something that is explicitly mentioned in the Node.js documentation. Thus, the output of the degenerate agent - when used by a series of packages such as pac-Resolutioner, Pac-Proxy-Agent and proxy-agent - poses a security risk. "The vm module is not a security mechanism. Don't use it to execute untrusted code," Berry said in a blog post, referring to a disclaimer in the Node docs. "This is an easy bug - this is a small script (to be honest, it should be the title of the page and next to every method) and MongoDB did exactly the same in 2019, with worse consequences." Separately, there is a long list of easy ways to get to the original texture and completely get out of sandbox... The code inside Sandbox allows you to do basically anything it likes on your system. "Advertising
With this, Perry demonstrated code that abuses code to show how an attacker could exit a virtual machine: p> Zoom <<>" Done - This is all it takes to get out of the VM sandbox. If you can use a PAC file as your config for a soft target, you can run the code on their machine. js application, and :vars, config files, remote config endpoints, command line arguments) from an untrusted source
A remote attacker, in any of these scenarios, could, Configuring the malicious PAC address and executing the required code on the computer whenever an HTTP request is made using the proxy configuration. 0 simply involves increasing the apiary version to 3.0.1."
Berry thanks Snyk for his developer support during the vulnerability detection sync process. p>
Affected developers should upgrade to version 5.0.0 or higher to fix the issue. their applications. p>
NPM package was very weak with 3 million weekly downloads
The Starlink SpaceX satellite bandwidth service wi...
Telegram has expanded as a hub for cybercriminals seeking to...