leesh3288

Sandbox Escape in [email protected]

Summary

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

leesh3288

Sandbox Escape in [email protected]

Summary

There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

leesh3288

Sandbox Escape in [email protected] via Promise[@@species]

Summary

In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code.

Proof of Concept

leesh3288

Sandbox Escape in [email protected] via custom inspect function

Summary

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.

Proof of Concept

leesh3288

zer0pts CTF 2023 flipper (pwn) Author's Writeup

Written by [Xion]

Challenge Summary

Linux kernel heap-relative 1-bit flip primitive, LPE to read flag.

Author's solution