search
githubEdit

Prototype Pollution to RCE

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

hashtag
Vulnerable Code

Imagine a real JS using some code like the following one:

const { execSync, fork } = require('child_process');

function isObject(obj) {
    console.log(typeof obj);
    return typeof obj === 'function' || typeof obj === 'object';
}

// Function vulnerable to prototype pollution
function merge(target, source) {
    for (let key in source) {
        if (isObject(target[key]) && isObject(source[key])) {
            merge(target[key], source[key]);
        } else {
            target[key] = source[key];
        }
    }
    return target;
}

function clone(target) {
    return merge({}, target);
}

// Run prototype pollution with user input
// Check in the next sections what payload put here to execute arbitrary code
clone(USERINPUT);

// Spawn process, this will call the gadget that poputales env variables
// Create an a_file.js file in the current dir: `echo a=2 > a_file.js`
var proc = fork('a_file.js');

hashtag
PP2RCE via env vars

PP2RCE means Prototype Pollution to RCE (Remote Code Execution).

According to this writeuparrow-up-right when a process is spawned with some method from child_process (like fork or spawn or others) it calls the method normalizeSpawnArguments which a prototype pollution gadget to create new env vars:

Check that code you can see it's possible en poison envPairs just by polluting the attribute .env.

hashtag
Poisoning __proto__

circle-exclamation

Note that due to how the normalizeSpawnArguments function from the child_process library of node works, when something is called in order to set a new env variable for the process you just need to pollute anything. For example, if you do __proto__.avar="valuevar" the process will be spawned with a var called avar with value valuevar.

However, in order for the env variable to be the first one you need to pollute the .env attribute and (only in some methods) that var will be the first one (allowing the attack).

That's why NODE_OPTIONS is not inside .env in the following attack.

hashtag
Poisoning constructor.prototype

hashtag
PP2RCE via env vars + cmdline

A similar payload to the previous one with some changes was proposed in this writeuparrow-up-right. The main differences are:

  • Instead of storing the nodejs payload inside the file /proc/self/environ, it stores it inside argv0 of /proc/self/cmdline.

  • Then, instead of requiring via NODE_OPTIONS the file /proc/self/environ, it requires /proc/self/cmdline.

hashtag
DNS Interaction

Using the following payloads it's possible to abuse the NODE_OPTIONS env var we have discussed previously and detect if it worked with a DNS interaction:

Or, to avoid WAFs asking for the domain:

hashtag
PP2RCE vuln child_process functions

In this section where are going to analyse each function from child_process to execute code and see if we can use any technique to force that function to execute code:

chevron-rightexec exploitationhashtag
chevron-rightexecFile exploitationhashtag

For execFile to work it MUST execute node for the NODE_OPTIONS to work. If it's not executing node, you need to find how you could alter the execution of whatever it's executing with environment variables and set them.

The other techniques work without this requirement because it's possible to modify what is executed via prototype pollution. (In this case, even if you can pollute .shell, you won't pollute that is being executed).

chevron-rightfork exploitationhashtag
chevron-rightspawn exploitationhashtag
chevron-rightexecFileSync exploitationhashtag
chevron-rightexecSync exploitationhashtag
chevron-rightspawnSync exploitationhashtag

hashtag
Forcing Spawn

In the previous examples you saw how to trigger the gadget a functionality that calls spawn needs to be present (all methods of child_process used to execute something calls it). In the previous example that was part of the the code, but what if the code isn't calling it.

hashtag
Controlling a require file path

In this other writeuparrow-up-right the user can control the file path were a require will be executed. In that scenario the attacker just needs to find a .js file inside the system that will execute a spawn method when imported. Some examples of common files calling a spawn function when imported are:

  • /path/to/npm/scripts/changelog.js

  • /opt/yarn-v1.22.19/preinstall.js

  • Find more files below

The following simple script will search for calls from child_process without any padding (to avoid showing calls inside functions):

chevron-rightInteresting files found by previous scripthashtag

  • node_modules/buffer/bin/download-node-tests.js:17:cp.execSync('rm -rf node/*.js', { cwd: path.join(__dirname, '../test') })

  • node_modules/buffer/bin/test.js:10:var node = cp.spawn('npm', ['run', 'test-node'], { stdio: 'inherit' })

  • node_modules/npm/scripts/changelog.js:16:const log = execSync(git log --reverse --pretty='format:%h %H%d %s (%aN)%n%b%n---%n' ${branch}...).toString().split(/\n/)

  • node_modules/detect-libc/bin/detect-libc.js:18:process.exit(spawnSync(process.argv[2], process.argv.slice(3), spawnOptions).status);

  • node_modules/jest-expo/bin/jest.js:26:const result = childProcess.spawnSync('node', jestWithArgs, { stdio: 'inherit' });

  • node_modules/buffer/bin/download-node-tests.js:17:cp.execSync('rm -rf node/*.js', { cwd: path.join(__dirname, '../test') })

  • node_modules/buffer/bin/test.js:10:var node = cp.spawn('npm', ['run', 'test-node'], { stdio: 'inherit' })

  • node_modules/runtypes/scripts/format.js:13:const npmBinPath = execSync('npm bin').toString().trim();

  • node_modules/node-pty/scripts/publish.js:31:const result = cp.spawn('npm', args, { stdio: 'inherit' });

hashtag
Setting require file path via prototype pollution

circle-exclamation

The previous technique requires that the user controls the path of the file that is going to be required. But this is not always true.

However, if the code is going to execute a require after the prototype pollution, even if you don't control the path that is going to be require, you can force a different one abusing propotype pollution. So even if the code line is like require("./a_file.js") or require("bytes") it will require the package you polluted.

Therefore, if a require is executed after your prototype pollution and no spawn function, this is the attack:

  • Find a .js file inside the system that when required will execute something using child_process

    • If you can upload files to the platform you are attacking you might upload a file like that

  • Pollute the paths to force the require load of the .js file that will execute something with child_process

  • Pollute the environ/cmdline to execute arbitrary code when a child_process execution function is called (see the initial techniques)

hashtag
Absolute require

If the performed require is absolute (require("bytes")) and the package doesn't contain main in the package.json file, you can pollute the main attribute and make the require execute a different file.

hashtag
Relative require - 1

If a relative path is loaded instead of an absolute path, you can make node load a different path:

hashtag
Relative require - 2

hashtag
Relative require - 3

Similar to the previous one, this was found in this writeuparrow-up-right.

hashtag
VM Gadgets

In the paper https://arxiv.org/pdf/2207.11171.pdfarrow-up-right is also indicated that the control of contextExtensions from some methods of the vm library could be used as a gadget. However, as the previous child_process methods, it has been fixed in the latest versions.

hashtag
Fixes & Unexpected protections

Please, note that prototype pollution works if the attribute of an object that is being accessed is undefined. If in the code that attribute is set a value you won't be able to overwrite it.

In Jun 2022 from this commitarrow-up-right the var options instead of a {} is a kEmptyObject. Which prevents a prototype pollution from affecting the attributes of options to obtain RCE. At least from v18.4.0 this protection has been implemented, and therefore the spawn and spawnSync exploits affecting the methods no longer work (if no options are used!).

In this commitarrow-up-right the prototype pollution of contextExtensions from the vm library was also kind of fixed setting options to kEmptyObject instead of {}.

hashtag
Other Gadgets

hashtag
References

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousExpress Prototype Pollution GadgetsNextJava JSF ViewState (.faces) Deserialization

Last updated