During the Endor Labs 2023, we were looking at alternative ways to secure your code
We picked an old but very impacting vulnerability in the Javascript ecosystem:
- Ars Technica: NPM package with 3 million weekly downloads had a severe vulnerability
- Proxies are complicated: RCE vulnerability in a 3 million downloads/week NPM package
And we decided to adapt EndorCTL to patch your code automatically.
A PAC file is a "Proxy Auto Configuration" file that you feed your browser with to access URLs, via the FindProxyForURL
Javascript function:
function FindProxyForURL(url, host) {
// If the requested website is hosted within the internal network, send direct.
if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0"))
return "DIRECT";
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 4.5.6.7:8080; PROXY 7.8.9.10:8080";
}
In this repository, we have a couple of PAC file:
- a well-formatted one
- a malicious one that defines and execute a extra function
These commands will use the well-formatted proxy.pac
file to route the traffic via the right route (direct or proxy)
./index.js proxy.pac http://10.0.0.1/
./index.js proxy.pac https://www.google.com/
Now we use the malicious proxy-malicious.pac
file to run the exploit. The extra function in it will "just" dump the current environment:
./index.js proxy-malicious.pac http://10.0.0.1/
Oopsie :)
After cloning this repo and running npm install
, we use npm link
to modify the vulnerable library locally
# We create our collection of patched modules that we can then commit to our repo
mkdir node_modules.patched
cp -a node_modules/degenerator node_modules.patched/
# We patch the local version and make it "linkable" via npm
cd node_modules.patched/degenerator/
patch -p1 < ../../degenerator.patch
npm link
# Then, from the root of our repo, we make npm use our local version
cd ../..
npm link degenerator
Now that we have patched the vulnerable library, using the malicious PAC file will just throw a Javascript error instead of executing the malicious code.
TBD