Ex:
# the exploit
```js
..whatever
```
1. Run thru uglify and check if it calls require.
2. Write a script (maybe based on a template) that would load the "exploit"
using a vm and without any context.
```js
require('vm').runInNewContext([
'"use strict";',
'('+exploit.toString()+')()'
].join('\n'), { ... }); // no console of course, and nothing that isn't needed
```
3. Run the new script and check if finished ok (exit code 0) and within your
specified time (setTimeout)
--
Diogo Resende
On Friday, January 18, 2013 at 19:43 , Diogo Resende wrote:
> Assuming you get the script in advance and you have time before running it
> (user submits it), I would go with the uglify approach. I would then right a
> new script using vm and would run it using child_process. I would check if it
> lasts longer than expected. If ok, then save it and run it later whenever you
> want.
>
> --
> Diogo Resende
>
>
> On Friday, January 18, 2013 at 19:15 , Bradley Meck wrote:
>
> > Austin: won't go into great detail, but heres a fun little example:
> >
> > ```javascript
> > function exploit() {
> > console.log.constructor("process.exit(42)")();
> > }
> > var result = require('vm').runInNewContext([
> > '"use strict";',
> > '('+exploit.toString()+')()'
> > ].join('\n'), {console:console});
> > console.log('I SURVIVED THE STORM!'); // it wont
> >
> > ```
> >
> > Thats pretty trivial and then prototype injection attacks can occur if you
> > pass in natives and eventually use say... JSON.stringify if you override
> > .toJSON, .toString, .constructor, .valueOf, .__proto__, ...
> > Then it gets worse when you do something like say... get a hold of a
> > non-strict mode function from a different scope by having it construct lets
> > say a continuation callback ...
> > Even still... get a hold of some options object that feeds into a secure
> > area and set the options to something insecure (at a future point in time
> > with lets say Object.defineProperty).
> > ...
> > it goes on...
> > ...
> >
> > --
> > Job Board: http://jobs.nodejs.org/
> > Posting guidelines:
> > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> > You received this message because you are subscribed to the Google
> > Groups "nodejs" group.
> > To post to this group, send email to [email protected]
> > (mailto:[email protected])
> > To unsubscribe from this group, send email to
> > [email protected]
> > (mailto:[email protected])
> > For more options, visit this group at
> > http://groups.google.com/group/nodejs?hl=en?hl=en
>
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
