We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityEngineeringOpen Source

Safer together: Snyk and CISPA collaborate for the greater good

Aviad Hahami, Idan DigmiJune 6, 2022

Great things happen when the academic world and the software industry work together! Today, we’d like to share a story about our recent collaboration with the CISPA Helmholtz Center for Information Security, a big science institution in Germany.

Back in January, Cris Staicu Ph.D. (Tenure-Track Faculty, CISPA), contacted us about his research on NodeJS and JavaScript. The study Staicu and his team conducted focused on interesting security issues in JavaScript and NodeJS environments, such as prototype-pollution vulnerabilities, JS sandbox escapes, and low-level C/C++ vulnerabilities in NodeJS native extensions.

Alongside CISPA, we were able to confirm a few not-so-straightforward vulnerabilities, report them to maintainers for fixes, and assign CVEs and published advisories.

In this post, we’ll walk you through a few of the vulnerabilities we found with CISPA, while also calling on other academic institutions to collaborate with us to make the open-source world safer for everyone.

NodeJS sandbox escape gadgets

The first vulnerability we worked on was a Sandbox Escape vulnerability.

For those who are unfamiliar with the term “sandbox”, it refers to an environment, process, or machine where we can execute things without worrying about security implications. For example, when we’re dealing with unsanitized client-supplied code or files. 

In this case, Cris’s team found a JS library with a bypassable sandbox. The reported library, notevil and its derivative argencoders-notevil, allowed Cris’s team to bypass the sandbox by abusing a Prototype Pollution vulnerability.

The PoC for this issue looks like this:

var notevil = require('notevil')

notevil(`  
Object.defineProperty(({})[["__proto__"]][["__proto__"]], 'polluted', {
  value: 'success'
});`);

console.log(polluted); // prints "success"

While the PoC is not harmful at first sight, a similar vulnerability in the same library was previously reported, and can result in RCE in NodeJS environments, or XSS in browser environments.

Since the library is already deprecated (but still used by many), Cris’s team needed our help with issuing a CVE and notifying the maintainers. If you didn’t know, Snyk is an official CNA, allowing us to issue CVEs when required.Thus, we issued CVE-2021-23771 to make future developers aware of this vulnerability.

Type-confusion in native NodeJS extensions

Since CISPA’s focus was on Type Confusion vulnerabilities between NodeJS applications and C extensions for the NodeJS engine, we collaborated on the topic. Most of CISPA’s Type Confusion experiments resulted in the V8 engine crash, so both parties wanted to dig in and understand the problem better.

As an example, let’s use the libxmljs library. If you’re unfamiliar, libxmljs is used for XML parsing and employs the native libxml binary behind the scenes.

Here’s a snippet of the basic usage example for the library, copied from their README:

// As copied from libxmljs readme
var libxmljs = require("libxmljs");
var xml =  '<?xml version="1.0" encoding="UTF-8"?>' +
           '<root>' +
               '<child foo="bar">' +
                   '<grandchild baz="fizbuzz">grandchild content</grandchild>' +
               '</child>' +
               '<sibling>with content!</sibling>' +
           '</root>';

var xmlDoc = libxmljs.parseXml(xml); // you can now query the document

However, we were able to crash the whole application with the following PoC:

let libxmljs = require("libxmljs");
let xml = {toString: 23};
try { 
    libxmljs.parseXml(xml);
} catch(e) {
    // never executed because of the hard crash
}

Since the application can be crashed using user input, despite the try/catch blocks in place, we’re facing a DoS entry point.

Running the code from the previous block will yield the following stack trace:

FATAL ERROR: v8::ToLocalChecked Empty MaybeLocal.
 1: 0xb23a90 node::Abort() [node]
 2: 0xa3823c node::FatalError(char const*, char const*) [node]
 3: 0xd13ffa v8::Utils::ReportApiFailure(char const*, char const*) [node]
 4: 0x7fa0bc5eec9b libxmljs::XmlDocument::FromXml(Nan::FunctionCallbackInfo<v8::Value> const&) [/opt/node_modules/libxmljs/build/Release/xmljs.node]
 5: 0x7fa0bc5ea208  [/opt/node_modules/libxmljs/build/Release/xmljs.node]
 6: 0xd7019e  [node]
 7: 0xd715bf v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
 8: 0x16138f9  [node]
Aborted

Further debugging with GDB helped us understand that the underlying engine expects to get a String type argument, but – as we found – when passed an object, it will attempt to stringify it.

In the above example, the toString method is not invokable (since it’s just a number). The V8 can’t handle that and raises an exception. However, since this exception is in the V8, the try/catch blocks are not effective — resulting in a full application crash.

We approached the maintainers alongside CISPA and responsibly disclosed the vulnerability, tracking it as CVE-2022-21144.

Call for collaborations

We’d love to collaborate with more academic institutions like CISPA, and partnering with Snyk comes with several helpful advantages. It’s one thing to discover vulnerabilities, but it’s another thing to disclose vulnerabilities — especially when the vulnerabilities are in open-source libraries. Our dedicated team of analysts and researchers will help you verify and understand the full impact of a given vulnerability, and our process guarantees that the vulnerability will be disclosed responsibly, discreetly, and professionally. And, since Snyk is a CNA, we have a special tracking system and can sync to the reporter and maintainers, keeping both parties informed at all times.

So, feel free to contact us the next time you discover a new vulnerability. We’ll be happy to help with the confirmation and disclosure processes.

Stay Secure!

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • Test with GitHub
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom