CVE-2024-23738: Exploiting Postman on macOS via RunAsNode and enableNodeCliInspectArguments

A recently discovered security vulnerability, CVE-2024-23738, impacts Postman version 10.22 and earlier on macOS systems. This vulnerability could potentially allow remote attackers to execute arbitrary code through the "RunAsNode" and "enableNodeCliInspectArguments" settings. However, it's important to mention that the Postman vendor disputes these claims and maintains that the configuration does not enable remote code execution. Nonetheless, it is essential for users to understand and assess their own risk. In this blog, we will elaborate on the details of this vulnerability, along with associated code snippets, exploit methods, and original references.

The Vulnerability

Postman is a widely used API client and a valuable tool for developers when working with REST APIs. The vulnerability exists in the "RunAsNode" and "enableNodeCliInspectArguments" settings, allowing remote attackers to potentially execute arbitrary code on the affected macOS systems. It is important to note that the vendor disputes this claim, arguing that the configuration doesn't enable remote code execution. However, this post will discuss the vulnerability and relevant code snippets and exploit methods to provide more information and context on the issue.

The following code snippet details a sample HTTP request using the vulnerable settings

POST /vulnerable/path HTTP/1.1
Host: target-domain.com
Content-Type: application/json
Content-Length: length

{
  "RunAsNode": true,
  "enableNodeCliInspectArguments": "attacker-controlled-value"
}

Exploit Details

In order to exploit this vulnerability, an attacker would send a malicious HTTP request containing the attacker-controlled value within an API call to a vulnerable Postman version on macOS. The affected system may process this request and execute the malicious code provided in the "attacker-controlled-value". This could potentially result in unauthorized access to sensitive data, resources, or loss of system control.

The following references provide more information on this vulnerability

1. CVE-2024-23738 Official Record
2. National Vulnerability Database (NVD) Entry for CVE-2024-23738

Vendor Dispute

It is important to recognize that the Postman vendor disputes the accuracy of this report and claims that the configuration specified does not actually enable remote code execution. While this post aims to provide information on the potential risk associated with this vulnerability, users should carefully assess their own risk and consider the vendor's statement.

Conclusion

CVE-2024-23738 is a vulnerability impacting Postman version 10.22 and earlier on macOS systems. This issue could potentially allow remote attackers to execute arbitrary code through the "RunAsNode" and "enableNodeCliInspectArguments" settings. Despite the dispute from the vendor, it's crucial for users to understand the risk associated with this vulnerability and evaluate their own security measures. Stay informed, and stay secure.

Timeline

Published on: 01/28/2024 01:15:07 UTC
Last modified on: 02/26/2024 16:27:57 UTC