BrowserStack Runner Remote Code Execution Vulnerability in Log HTTP Handler

A remote code execution vulnerability has been identified in BrowserStack Runner versions through 0.9.5. The issue resides in the '/_log' HTTP handler, which accepts POST requests with JSON payloads. The handler processes user-supplied data by passing it to 'vm.runInNewContext()' combined with 'eval()', allowing unauthenticated network-adjacent attackers to execute arbitrary code on the host system. Exploitation involves crafting a JSON request that leverages a host-context Function reference to escape the Node.js vm sandbox and access the host process, achieving full remote code execution without authentication.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the developer's machine running BrowserStack Runner, without the need for authentication. The executed commands have access to the host environment, including sensitive information such as the BrowserStack access key, and can be used to execute any command on the system.

Reproduction

To reproduce this vulnerability, first start the BrowserStack Runner, which will create an HTTP server on port 8888, listening on all network interfaces. Once the server is running, send a POST request to the '/_log' endpoint with a JSON body that includes a crafted payload. This payload should exploit the vulnerability by using a host-context Function reference to access the host process and execute arbitrary commands. After sending the request, the response will indicate whether the exploitation was successful by showing the output of the executed command.

Remediation

To address this vulnerability, remove 'eval()' and 'vm.runInNewContext()' from the '_log' handler, replacing them with 'JSON.stringify()' for safe logging. Additionally, implement UUID authentication for the '_log' handler, similar to the existing authentication for the '_progress' and '_report' handlers. Finally, configure the HTTP server to bind on '127.0.0.1' instead of '0.0.0.0'.