Recently, the independent software developer Tim Perry, creator of HTTP Toolkit for web traffic interception and debugging, has decided to add proxy support to its product, which like a lot of software these days, is written using the Node.js.
Node.js is the project that brought out the JavaScript from your browser and turned it into an integrated application development system, something like Java.
See also: Google Chrome V8 JavaScript engine vulnerability: update immediately
Along with the JavaScript kernel that uses the engine V8 JavaScript from the Chromium Google's Node.js software usually also relies on NPM, the Node Package Manager and the NPM Registry, a truly massive repository of open source tools and programming.
The NPM registry covers everything from basic text formatting to full face recognition and almost everything in between.
Instead of writing all or even most of the code in your project yourself, you simply list the additional packages you want to use and NPM will pick them up for you, along with any additional packages needed by the package you have selected and any other packages that need those packages, until it finally detects and automatically installs every piece of additional code needed to complete the project.
As you can imagine, this can turn into a potential security nightmare. Adding a single package to your own project may require a bunch of additional packages, each of which may have been written by a different person you don't know.
This method is known as dependency tree and can be particularly dangerous. Perry himself discovered this danger recently, when he decided to use a popular NPM package called Proxy Agent to provide the proxy support he wanted in his HTTP Toolkit product.
Perry installed and started using Proxy-Agent and the entire dependency tree without reviewing the newly acquired evidence in his work. So he encountered a security flaw, called CVE-2021-23406, in a proxy kit called Pac-Resolver, which is a secondary component that helps your code deal with the PAC process or proxy autoconfiguration.
See also: New toolkit creates custom phishing pages in real time
PAC files are not just lists of IP numbers or server names for data where your network's official proxy servers are located. They are intended to be absorbed and used in your browser, and as such were intentionally designed to be more flexible than a simple list of static data.
Indeed, a PAC file consists of JavaScript that can dynamically determine if a proxy is needed and if so where to find it on the network. As Perry notes, the PAC file format dates back a quarter of a century and first appeared as a "feature" in the browser Netscape.
Of course, Perry was not planning to run PAC files in a browser, but as part of the HTTP Toolkit software, which works as a regular application, potentially giving JavaScript bootstrapping much more scope and power in this scenario.
Therefore, he decided to take a look at how the developers of the proxy configuration code he had chosen had addressed the security implications of retrieving and executing external JavaScript.
He discovered that the code used a node component called vm, short for virtual machine, which allows you to set up a new JavaScript instance or state where you don't interfere with code running on other node instances in your application.
This is a handy precaution if you want two parts of your code to do separate things in such a way that they can't accidentally step on each other.
Perry realized that the original developer was using the vm library for both programming security and security in general, apparently assuming that a new vm instance was not only separate from other vm instances in the application, but also strictly sandboxed in his own little isolated JavaScript world.
Perry quickly worked out how to use a normal JavaScript programming technique to execute code within the new vm instance that had full access to the external data of the main Node.js application.
Technically, this is an RCE error in the proxy configuration process, where RCE is used for remote code execution.
See also: WooCommerce fixes a serious vulnerability
RCE means that unreliable content coming from an untrusted source can intentionally do something sneaky that is supposedly not allowed, with no warnings displayed.
Exploiting this bug usually allows the official proxy PAC file of a private network proxy to be changed to include JavaScript that has been trapped.
What we can do;
If you have Node.js software that uses Pac-Resolve, Pac proxy agent ή Proxy Agent, make sure you have the version 5.0.0 or newer for these packages.
Regularly review the Node.js modules on which your products are based. You should take into account the extra time and expertise in the software release process.
Check the security restrictions of the libraries you use.
Do not assume that the widely used packages are safe. Bugs like CVE-2021-23406 are likely to go undetected for a long time if someone doesn't look for them.
