Share
## https://sploitus.com/exploit?id=43C77EB4-90E2-5040-8398-5128A5C2F93B
## Perkenalan

[ไธญๆ–‡](./README_zh.md)

`js2py is a popular python package that can evaluate javascript code inside the python interpreter. It is used by various web scrapers to parse javscript code on websites.

There is a vulnerability in the implementation of global variables within js2py, which could allow an attacker to obtain references to python objects in the js2py environment, thereby allowing the attacker to exit the js environment and execute arbitrary commands on the host.

Typically the user will call js2py.disable_pyimport() to stop the javascript code leaving the js2py environment. But with this vulnerability, an attacker can circumvent this restriction and execute any command on the host.

Threat actors can host websites that contain malicious js files or send malicious scripts via HTTP API for victims to decipher them. By doing so, the actor can perform remote code execution on the host by executing any shell command on the target.

## Detail kerentanan

-Nomor versi komponen yang terpengaruh:
-js2py terbaru (<=0.74) yang berjalan di bawah python 3
- affected products:
  - [pyload/pyload](https://github.com/pyload/pyload)
  - [VeNoMouS/cloudscraper](https://github.com/VeNoMouS/cloudscraper) (use js2py as a optional 'js interpreter')
  - [dipu-bd/lightnovel-crawler](https://github.com/dipu-bd/lightnovel-crawler)
- The steps to reproduce:
  - install python3 under 3.12, currently `js2py` don't support python3.12.
  - Run `pip install js2py` to install `js2py` and execute `poc.py`, which would try to execute `head -n 1 /etc/passwd; calc; gnome-calculator; kcalc;` on the host.
  - If the vulnerability exists the script should print `Success! the vulnerability exists...` or pop up calculator.

## Fix

Currently official fix is unavailable, user can use `fix.py` to dynamically patch js2py or use patch.txt to fix the source code.

## Others

I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.