Vulnerability-Lookup

CVE-2024-27933 (GCVE-0-2024-27933)

Vulnerability from cvelistv5 – Published: 2024-03-06 20:52 – Updated: 2024-08-02 19:55

Title

Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass

Summary

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs. Version 1.39.1 fixes the bug.

Severity ?

8.3 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/denoland/deno/security/advisor…	x_refsource_CONFIRM
	https://github.com/denoland/deno/commit/55fac9f5e…	x_refsource_MISC
	https://github.com/denoland/deno/commit/5a91a065b…	x_refsource_MISC
	https://github.com/denoland/deno/blob/v1.39.0/run…	x_refsource_MISC
	https://github.com/denoland/deno/blob/v1.39.0/run…	x_refsource_MISC
	https://github.com/denoland/deno/blob/v1.39.0/run…	x_refsource_MISC
	https://github.com/denoland/deno/blob/v1.39.0/run…	x_refsource_MISC
	https://github.com/denoland/deno/blob/v1.39.0/run…	x_refsource_MISC
	https://github.com/denoland/deno/blob/v1.39.0/run…	x_refsource_MISC
	https://github.com/denoland/deno/blob/v1.39.0/run…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	denoland	deno	Affected: = 1.39.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:41:55.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
          },
          {
            "name": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
          },
          {
            "name": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:denoland:deno:1.39.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "deno",
            "vendor": "denoland",
            "versions": [
              {
                "status": "affected",
                "version": "1.39.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27933",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-02T19:54:07.494367Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:55:09.948Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "deno",
          "vendor": "denoland",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.39.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\n\nThis bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\n\nVersion 1.39.1 fixes the bug.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-06T20:52:17.599Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
        },
        {
          "name": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
        },
        {
          "name": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
        },
        {
          "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
        },
        {
          "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
        },
        {
          "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
        },
        {
          "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
        },
        {
          "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
        },
        {
          "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
        },
        {
          "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
        }
      ],
      "source": {
        "advisory": "GHSA-6q4w-9x56-rmwq",
        "discovery": "UNKNOWN"
      },
      "title": "Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-27933",
    "datePublished": "2024-03-06T20:52:17.599Z",
    "dateReserved": "2024-02-28T15:14:14.216Z",
    "dateUpdated": "2024-08-02T19:55:09.948Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq\", \"name\": \"https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b\", \"name\": \"https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392\", \"name\": \"https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:41:55.828Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27933\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-02T19:54:07.494367Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:denoland:deno:1.39.0:*:*:*:*:*:*:*\"], \"vendor\": \"denoland\", \"product\": \"deno\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.39.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-02T19:55:05.745Z\"}}], \"cna\": {\"title\": \"Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass\", \"source\": {\"advisory\": \"GHSA-6q4w-9x56-rmwq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"denoland\", \"product\": \"deno\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 1.39.0\"}]}], \"references\": [{\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq\", \"name\": \"https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b\", \"name\": \"https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392\", \"name\": \"https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99\", \"name\": \"https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\\n\\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\\n\\nThis bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\\n\\nVersion 1.39.1 fixes the bug.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-06T20:52:17.599Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-27933\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T19:55:09.948Z\", \"dateReserved\": \"2024-02-28T15:14:14.216Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-06T20:52:17.599Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2024-27933

Vulnerability from gsd - Updated: 2024-02-29 06:03

Details

Aliases

CVE-2024-27933

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-27933"
      ],
      "details": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\n\nThis bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\n\nVersion 1.39.1 fixes the bug.\n",
      "id": "GSD-2024-27933",
      "modified": "2024-02-29T06:03:30.095222Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-27933",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "deno",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "= 1.39.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "denoland"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\n\nThis bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\n\nVersion 1.39.1 fixes the bug.\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863: Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
          },
          {
            "name": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
          },
          {
            "name": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
          },
          {
            "name": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99",
            "refsource": "MISC",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-6q4w-9x56-rmwq",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\n\nThis bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\n\nVersion 1.39.1 fixes the bug.\n"
          },
          {
            "lang": "es",
            "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. En la versi\u00f3n 1.39.0, el uso de descriptores de archivos sin formato en `op_node_ipc_pipe()` conduce al cierre prematuro de descriptores de archivos arbitrarios, lo que permite volver a abrir la entrada est\u00e1ndar como un recurso diferente, lo que da como resultado la omisi\u00f3n de la solicitud de permiso. El nodo child_process IPC depende del lado JS para pasar el descriptor de archivo IPC sin formato a `op_node_ipc_pipe()`, que devuelve un ID de `IpcJsonStreamResource` asociado con el descriptor de archivo. Al cerrar el recurso, el descriptor del archivo sin formato se cierra junto. El uso de descriptores de archivos sin formato en `op_node_ipc_pipe()` conduce al cierre prematuro de descriptores de archivos arbitrarios. Esto permite cerrar y volver a abrir la entrada est\u00e1ndar (fd 0) para un recurso diferente, lo que permite omitir la solicitud de permiso silenciosa. Esto es explotable por un atacante que controla el c\u00f3digo ejecutado dentro de un tiempo de ejecuci\u00f3n de Deno para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario en la m\u00e1quina host, independientemente de los permisos. Se sabe que este error es explotable. Existe un exploit funcional que logra la ejecuci\u00f3n de c\u00f3digo arbitrario al evadir solicitudes de permisos cero, abusando adem\u00e1s del hecho de que la API de cach\u00e9 carece de comprobaciones de permisos del sistema de archivos. El ataque se puede realizar de forma silenciosa ya que stderr tambi\u00e9n se puede cerrar, suprimiendo todas las salidas de aviso. La versi\u00f3n 1.39.1 corrige el error."
          }
        ],
        "id": "CVE-2024-27933",
        "lastModified": "2024-03-21T12:58:51.093",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.5,
              "impactScore": 6.0,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-21T02:52:22.197",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-27933

Vulnerability from fkie_nvd - Published: 2024-03-21 02:52 - Updated: 2025-01-03 19:23

Severity ?

8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214	Product
security-advisories@github.com	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220	Product
security-advisories@github.com	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225	Product
security-advisories@github.com	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241	Product
security-advisories@github.com	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256	Product
security-advisories@github.com	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265	Product
security-advisories@github.com	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99	Product
security-advisories@github.com	https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b	Patch
security-advisories@github.com	https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392	Product
security-advisories@github.com	https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	deno	deno	1.39.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:deno:deno:1.39.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5D56C51-E65E-4594-8936-3BBA9322E97D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\n\nThis bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\n\nVersion 1.39.1 fixes the bug.\n"
    },
    {
      "lang": "es",
      "value": "Deno es un tiempo de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. En la versi\u00f3n 1.39.0, el uso de descriptores de archivos sin formato en `op_node_ipc_pipe()` conduce al cierre prematuro de descriptores de archivos arbitrarios, lo que permite volver a abrir la entrada est\u00e1ndar como un recurso diferente, lo que da como resultado la omisi\u00f3n de la solicitud de permiso. El nodo child_process IPC depende del lado JS para pasar el descriptor de archivo IPC sin formato a `op_node_ipc_pipe()`, que devuelve un ID de `IpcJsonStreamResource` asociado con el descriptor de archivo. Al cerrar el recurso, el descriptor del archivo sin formato se cierra junto. El uso de descriptores de archivos sin formato en `op_node_ipc_pipe()` conduce al cierre prematuro de descriptores de archivos arbitrarios. Esto permite cerrar y volver a abrir la entrada est\u00e1ndar (fd 0) para un recurso diferente, lo que permite omitir la solicitud de permiso silenciosa. Esto es explotable por un atacante que controla el c\u00f3digo ejecutado dentro de un tiempo de ejecuci\u00f3n de Deno para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario en la m\u00e1quina host, independientemente de los permisos. Se sabe que este error es explotable. Existe un exploit funcional que logra la ejecuci\u00f3n de c\u00f3digo arbitrario al evadir solicitudes de permisos cero, abusando adem\u00e1s del hecho de que la API de cach\u00e9 carece de comprobaciones de permisos del sistema de archivos. El ataque se puede realizar de forma silenciosa ya que stderr tambi\u00e9n se puede cerrar, suprimiendo todas las salidas de aviso. La versi\u00f3n 1.39.1 corrige el error."
    }
  ],
  "id": "CVE-2024-27933",
  "lastModified": "2025-01-03T19:23:04.357",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.5,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-21T02:52:22.197",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-6Q4W-9X56-RMWQ

Vulnerability from github – Published: 2024-03-06 17:04 – Updated: 2024-03-21 18:29

Summary

Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass

Details

Summary

Use of raw file descriptors in op_node_ipc_pipe() leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass.

Details

Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to op_node_ipc_pipe(), which returns a IpcJsonStreamResource ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.

Although closing a file descriptor is seemingly a harmless task, this has been known to be exploitable: - With --allow-read and --allow-write permissions, one can open /dev/ptmx as stdin. This device happily accepts TTY ioctls and pipes anything written into it back to the reader. - This has been presented in a hacking competition (WACON 2023 Quals "dino jail"). - However, the precondition of this challenge was heavily contrived: fd 0 has manually been closed by FFI and setuid() was used to drop permissions and deny access to /proc since global write permissions are usually equivalent to arbitrary code execution (/proc/self/mem).

As this vulnerability conveniently allows us to close stdin (fd 0) without any FFI, we can open any resource that when read returns y, Y or A as its first character (runtimes/permissions/prompter.rs) to bypass the prompt.

There is a caveat however - all stdio/stdin/stderr streams are locked, after which clear_stdin() is called. This invokes libc::tcflush(0, libc::TCIFLUSH) which fails on a non-TTY file descriptor.

This can be exploited by widening the race window between clear_stdin() and the next stdin_lock.read_line(). Notably, the prompt message contains the requested resource name (path) which is filtered by strip_ansi_codes_and_ascii_control(). This is also concatenated by write!() to make a single buffer printed out to stderr. Thus, if we request a very long resource name, the window will widen allowing us to easily and stably race another Worker that closes fd 0 and opens a resource starting with an A\n within the race window.

Note that attacker does not need any permissions to exploit this bug to a full permission prompt bypass, as Cache API can be used to create and open files with controlled content without any permissions. Refer to the Impact section for more details.

PoC

Testing environment is Docker image denoland/deno:alpine-1.39.0@sha256:95064390f2c115673762bfc4fe15b1a7f81c859038b8c02b277ede7cd8a2ccbf.

Below PoC closes stdout (fd 1) and then prints two lines, one on stdout and one on stderr. Only the latter line is shown as stdout file descriptor is closed.

const ops = Deno[Deno.internal].core.ops;

// open fd 1 as ipc stream resource
const rid = ops.op_node_ipc_pipe(1);

// close resource & fd 1
Deno.close(rid);

// this should not be seen (stdout)
console.log('not seen');

// but this is seen (stderr)
console.error('seen');

Below is /proc/$(pgrep deno)/fd right after executing the last line of the above PoC. We see that fd 1 is indeed missing.

total 0
dr-x------ 2 root root 30 Dec 18 07:07 ./
dr-xr-xr-x 9 root root  0 Dec 18 07:07 ../
lrwx------ 1 root root 64 Dec 18 07:07 0 -> /dev/pts/0
l-wx------ 1 root root 64 Dec 18 07:07 10 -> 'pipe:[159305]'
lr-x------ 1 root root 64 Dec 18 07:07 11 -> 'pipe:[159306]'
l-wx------ 1 root root 64 Dec 18 07:07 12 -> 'pipe:[159306]'
lrwx------ 1 root root 64 Dec 18 07:07 13 -> /deno-dir/dep_analysis_cache_v1
l-wx------ 1 root root 64 Dec 18 07:07 14 -> 'pipe:[159305]'
l-wx------ 1 root root 64 Dec 18 07:07 15 -> 'pipe:[159306]'
lrwx------ 1 root root 64 Dec 18 07:07 16 -> /deno-dir/node_analysis_cache_v1
lrwx------ 1 root root 64 Dec 18 07:07 17 -> /dev/pts/0
lrwx------ 1 root root 64 Dec 18 07:07 18 -> /dev/pts/0
lrwx------ 1 root root 64 Dec 18 07:07 19 -> /dev/pts/0
lrwx------ 1 root root 64 Dec 18 07:07 2 -> /dev/pts/0
lrwx------ 1 root root 64 Dec 18 07:07 20 -> 'anon_inode:[eventpoll]'
lrwx------ 1 root root 64 Dec 18 07:07 21 -> 'anon_inode:[eventfd]'
lrwx------ 1 root root 64 Dec 18 07:07 22 -> 'anon_inode:[eventpoll]'
lrwx------ 1 root root 64 Dec 18 07:07 23 -> 'socket:[159302]'
lrwx------ 1 root root 64 Dec 18 07:07 24 -> 'anon_inode:[eventpoll]'
lrwx------ 1 root root 64 Dec 18 07:07 25 -> 'anon_inode:[eventfd]'
lrwx------ 1 root root 64 Dec 18 07:07 26 -> 'anon_inode:[eventpoll]'
lrwx------ 1 root root 64 Dec 18 07:07 27 -> 'socket:[159302]'
lrwx------ 1 root root 64 Dec 18 07:07 28 -> 'socket:[159310]'
lrwx------ 1 root root 64 Dec 18 07:07 29 -> 'socket:[159308]'
lrwx------ 1 root root 64 Dec 18 07:07 3 -> 'anon_inode:[eventpoll]'
lrwx------ 1 root root 64 Dec 18 07:07 30 -> 'socket:[159309]'
lrwx------ 1 root root 64 Dec 18 07:07 4 -> 'anon_inode:[eventfd]'
lrwx------ 1 root root 64 Dec 18 07:07 5 -> 'anon_inode:[eventpoll]'
lrwx------ 1 root root 64 Dec 18 07:07 6 -> 'socket:[159302]'
lrwx------ 1 root root 64 Dec 18 07:07 7 -> 'socket:[159303]'
lrwx------ 1 root root 64 Dec 18 07:07 8 -> 'socket:[159302]'
lr-x------ 1 root root 64 Dec 18 07:07 9 -> 'pipe:[159305]'

Impact

Use of raw file descriptors in op_node_ipc_pipe() leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.

This bug is known to be exploitable - there is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.

Note that Deno's security model is currently described as follows: - All runtime I/O is considered to be privileged and must always be guarded by a runtime permission. This includes filesystem access, network access, etc. - The only exception to this is runtime storage explosion attacks that are isolated to a part of the file system, caused by evaluated code (for example, caching big dependencies or no limits on runtime caches such as the Web Cache API).

Although it is ambiguous if the fundamental lack of file system permission checks on Web Cache API is a vulnerability or not, the reporter have not reported this as a vulnerability assuming that this is a known risk (or a feature).

Affected version of Deno is 1.39.0.

Introduced with commit 5a91a06
Fixed with commit 55fac9f

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.39.0"
            },
            {
              "fixed": "1.39.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.39.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T17:04:08Z",
    "nvd_published_at": "2024-03-21T02:52:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass.\n\n\n### Details\n\nNode child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together.\n\nAlthough closing a file descriptor is seemingly a harmless task, this has been known to be exploitable:\n- With `--allow-read` and `--allow-write` permissions, one can open `/dev/ptmx` as stdin. This device happily accepts TTY ioctls and pipes anything written into it back to the reader. \n  - This has been presented in a hacking competition (WACON 2023 Quals \"dino jail\").\n  - However, the precondition of this challenge was heavily contrived: fd 0 has manually been closed by FFI and `setuid()` was used to drop permissions and deny access to `/proc` since global write permissions are usually equivalent to arbitrary code execution (`/proc/self/mem`).\n\nAs this vulnerability conveniently allows us to close stdin (fd 0) without any FFI, we can open any resource that when read returns `y`, `Y` or `A` as its first character ([runtimes/permissions/prompter.rs](https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265)) to bypass the prompt.\n\nThere is a caveat however - all stdio/stdin/stderr streams are [locked](https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214), after which [`clear_stdin()`](https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220) is called. This invokes [`libc::tcflush(0, libc::TCIFLUSH)`](https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99) which fails on a non-TTY file descriptor.\n\nThis can be exploited by widening the race window between `clear_stdin()` and the next [`stdin_lock.read_line()`](https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256). Notably, the prompt message contains the requested resource name (path) which is filtered by [`strip_ansi_codes_and_ascii_control()`](https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225). This is also concatenated by [`write!()`](https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241) to make a single buffer printed out to stderr. Thus, if we request a very long resource name, the window will widen allowing us to easily and stably race another Worker that closes fd 0 and opens a resource starting with an `A\\n` within the race window.\n\nNote that attacker does not need any permissions to exploit this bug to a full permission prompt bypass, as Cache API can be used to create and open files with controlled content without any permissions. Refer to the Impact section for more details.\n\n\n### PoC\n\nTesting environment is Docker image `denoland/deno:alpine-1.39.0@sha256:95064390f2c115673762bfc4fe15b1a7f81c859038b8c02b277ede7cd8a2ccbf`.\n\nBelow PoC closes stdout (fd 1) and then prints two lines, one on stdout and one on stderr. Only the latter line is shown as stdout file descriptor is closed.\n\n```js\nconst ops = Deno[Deno.internal].core.ops;\n\n// open fd 1 as ipc stream resource\nconst rid = ops.op_node_ipc_pipe(1);\n\n// close resource \u0026 fd 1\nDeno.close(rid);\n\n// this should not be seen (stdout)\nconsole.log(\u0027not seen\u0027);\n\n// but this is seen (stderr)\nconsole.error(\u0027seen\u0027);\n```\n\nBelow is `/proc/$(pgrep deno)/fd` right after executing the last line of the above PoC. We see that fd 1 is indeed missing.\n\n```text\ntotal 0\ndr-x------ 2 root root 30 Dec 18 07:07 ./\ndr-xr-xr-x 9 root root  0 Dec 18 07:07 ../\nlrwx------ 1 root root 64 Dec 18 07:07 0 -\u003e /dev/pts/0\nl-wx------ 1 root root 64 Dec 18 07:07 10 -\u003e \u0027pipe:[159305]\u0027\nlr-x------ 1 root root 64 Dec 18 07:07 11 -\u003e \u0027pipe:[159306]\u0027\nl-wx------ 1 root root 64 Dec 18 07:07 12 -\u003e \u0027pipe:[159306]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 13 -\u003e /deno-dir/dep_analysis_cache_v1\nl-wx------ 1 root root 64 Dec 18 07:07 14 -\u003e \u0027pipe:[159305]\u0027\nl-wx------ 1 root root 64 Dec 18 07:07 15 -\u003e \u0027pipe:[159306]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 16 -\u003e /deno-dir/node_analysis_cache_v1\nlrwx------ 1 root root 64 Dec 18 07:07 17 -\u003e /dev/pts/0\nlrwx------ 1 root root 64 Dec 18 07:07 18 -\u003e /dev/pts/0\nlrwx------ 1 root root 64 Dec 18 07:07 19 -\u003e /dev/pts/0\nlrwx------ 1 root root 64 Dec 18 07:07 2 -\u003e /dev/pts/0\nlrwx------ 1 root root 64 Dec 18 07:07 20 -\u003e \u0027anon_inode:[eventpoll]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 21 -\u003e \u0027anon_inode:[eventfd]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 22 -\u003e \u0027anon_inode:[eventpoll]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 23 -\u003e \u0027socket:[159302]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 24 -\u003e \u0027anon_inode:[eventpoll]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 25 -\u003e \u0027anon_inode:[eventfd]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 26 -\u003e \u0027anon_inode:[eventpoll]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 27 -\u003e \u0027socket:[159302]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 28 -\u003e \u0027socket:[159310]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 29 -\u003e \u0027socket:[159308]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 3 -\u003e \u0027anon_inode:[eventpoll]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 30 -\u003e \u0027socket:[159309]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 4 -\u003e \u0027anon_inode:[eventfd]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 5 -\u003e \u0027anon_inode:[eventpoll]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 6 -\u003e \u0027socket:[159302]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 7 -\u003e \u0027socket:[159303]\u0027\nlrwx------ 1 root root 64 Dec 18 07:07 8 -\u003e \u0027socket:[159302]\u0027\nlr-x------ 1 root root 64 Dec 18 07:07 9 -\u003e \u0027pipe:[159305]\u0027\n```\n\n\n### Impact\n\nUse of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions.\n\nThis bug is **known to be exploitable** - there is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.\n\n\u003e Note that Deno\u0027s security model is currently described as follows:\n\u003e - All runtime I/O is considered to be privileged and must always be guarded by a runtime permission. This includes filesystem access, network access, etc.\n\u003e   - The only exception to this is runtime storage explosion attacks that are isolated to a part of the file system, caused by evaluated code (for example, caching big dependencies or no limits on runtime caches such as the Web Cache API).\n\u003e\n\u003e Although it is ambiguous if the fundamental lack of file system permission checks on Web Cache API is a vulnerability or not, the reporter have not reported this as a vulnerability assuming that this is a known risk (or a feature).\n\nAffected version of Deno is 1.39.0.\n\n- Introduced with commit 5a91a06\n- Fixed with commit 55fac9f\n",
  "id": "GHSA-6q4w-9x56-rmwq",
  "modified": "2024-03-21T18:29:15Z",
  "published": "2024-03-06T17:04:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-27933 (GCVE-0-2024-27933)

GSD-2024-27933

FKIE_CVE-2024-27933

GHSA-6Q4W-9X56-RMWQ

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature