Executive Summary

This vulnerability exists in BrowserStack Runner versions up to 0.9.5 and involves a remote code execution flaw in the /_log HTTP handler.

An unauthenticated attacker who is network-adjacent can send specially crafted JSON request bodies to this handler.

The vulnerability arises because the handler passes user-supplied data to Node.js's vm.runInNewContext() combined with eval(), allowing attackers to escape the sandbox.

By leveraging a host-context Function reference through util.format, attackers can access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code remotely on the affected system without any authentication.

Such remote code execution can lead to complete compromise of the underlying system, including unauthorized access, data theft, system manipulation, or disruption of services.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated remote code execution on the host system, potentially leading to unauthorized access, modification, or exfiltration of sensitive data.

Such unauthorized access and control over the system could result in violations of common data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and health information.

Exploitation of this vulnerability could lead to data breaches or loss of data integrity, thereby impacting compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /_log HTTP handler on the server running BrowserStack Runner (typically on port 8888 or a configurable port). Specifically, crafted JSON request bodies that attempt to exploit the vm.runInNewContext() and eval() usage may indicate an attack.

You can use network monitoring or packet capture tools to detect such requests. For example, using tcpdump or Wireshark to filter HTTP POST requests to port 8888:

• tcpdump -i <interface> 'tcp dst port 8888 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Additionally, inspecting server logs for unauthenticated POST requests to /_log containing suspicious JSON payloads with references to 'this.constructor.constructor' or 'util.format' can help identify exploitation attempts.

No specific detection commands are provided in the resources, but monitoring for these indicators on the network and application logs is recommended.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Remove the use of eval() and vm.runInNewContext() from the /_log HTTP handler to prevent execution of arbitrary code.
• Add UUID-based authentication to the /_log handler to match the security of other handlers, preventing unauthenticated access.
• Bind the HTTP server to the localhost interface (127.0.0.1) instead of all interfaces (0.0.0.0) to restrict access to local processes only.

These steps reduce the attack surface and prevent remote unauthenticated attackers from exploiting the vulnerability.

Useful 0 Not Useful 0