Discussion
Critical flaw in Protobuf library enables JavaScript code execution
skybrian: How does the attacker supply a malicious schema? Can that be turned off? It doesn't seem like a normal thing to do.
cyanydeez: probably via normal npm injection server side.
lioeters: > the library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but it fails to validate schema-derived identifiers, such as message names.Typical "eval is evil" issue.
radicality: I think something like this: Imagine a tool for querying remote grpc endpoints - you would point at some endpoint to query it / explore it, and the tool would request the proto schema files from a potentially untrusted source - something you would not expect to be that unsafe and trigger an rce.
jauco: But once you can make people download your malicious js code using npm, why would you then need to inject malicious js code in protobuf?
cyanydeez: Well, in this attack, you're using the vulenerable dev to modify their code to run a protobuf schema that's vulnerable; so then it can inject that vulnerability to the client code, and then you're exfilitrating 10's of users (the dev who ran this code isnt very popular).
