Summary Use of raw file descriptors in op_node_ipc_pipe() leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Details Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to op_node_ipc_pipe(), which returns a IpcJsonStreamResource ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Although closing a file descriptor is seemingly a harmless task, this has been known to be exploitable: – With –allow-read and –allow-write permissions, one can open /dev/ptmx as stdin. This device happily accepts TTY ioctls and pipes anything written into it back to the reader. – This has been presented in a hacking competition (WACON 2023 Quals "dino jail"). – However, the precondition of this challenge was heavily contrived: fd 0 has manually been closed by FFI and setuid() was used to drop permissions and deny access to /proc since global write permissions are usually equivalent to arbitrary code execution (/proc/self/mem). As this vulnerability conveniently allows us to close stdin (fd 0) without any FFI, we can open any resource that when read returns y, Y or A as its first character (runtimes/permissions/prompter.rs) to bypass the prompt. There is a caveat however – all stdio/stdin/stderr streams are locked, after which clear_stdin() is called. This invokes libc::tcflush(0, libc::TCIFLUSH)…Read More