This repository delves into several exploitable vulnerabilities found in the vm2 (Virtual Machine 2) library, commonly used for sandboxing and executing JavaScript securely. These vulnerabilities pose threats to the integrity of sandboxing capabilities, potentially allowing attackers to execute arbitrary code. Below are the specific vulnerabilities discussed:
- CVE-2023-32314
- CVE-2023-30547
- CVE-2023-29199
- CVE-2023-29017
- CVE-2023-32313
VM2 provides a secure environment for executing JavaScript within Node.js servers. Sandbox environments are crucial for security, as they isolate code execution from the main application, preventing unauthorized access and potential malicious activity.
To reproduce the vulnerabilities, follow these steps:
- Install NodeJS
- Install the vulnerable version of vm2 if needed
npm install vm2@3.9.15
and run the exploit you want in the terminal withnode CVE-<NUMBER>
.
The vulnerability exploits the mishandling of the error argument in the prepareStackTrace
function, leading to unauthorized access to the Function
constructor in the host context.
This vulnerability arises from host exceptions leaking into the vm2 sandbox due to improper handling of exceptions within a proxy handler, potentially allowing sandbox escape.
The vulnerability relates to post-processing steps failing to properly sanitize exceptions, allowing attackers to bypass sandbox restrictions.
This vulnerability exploits the manipulation of Error.prepareStackTrace
property and constructor functions to gain access to the global environment and execute code.
This vulnerability leverages the util.inspect
function in Node.js, disrupting normal code execution and potentially executing arbitrary code.
- Upgrade to vm2 version 3.9.17 or later.
- Implement additional security measures such as firewalls and network restrictions.
- Educate users and developers on secure coding practices and sandbox usage.
This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and the owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations. Use responsibly.