Masu bincike daga Cibiyar Tsaro ta Helmholtz don Tsaron Bayanai (CISPA) da Cibiyar Fasaha ta Royal (Sweden) sun yi nazari game da amfani da fasahar gurɓataccen gurɓataccen tsari na JavaScript don haifar da hare-hare a kan dandalin Node.js da kuma shahararrun aikace-aikacen da aka dogara da shi, wanda ya haifar da kisa.
Hanyar gurɓataccen samfur na amfani da fasalin yaren JavaScript wanda ke ba ka damar ƙara sabbin kaddarori zuwa tushen samfurin kowane abu. Aikace-aikace na iya ƙunsar tubalan lambar (na'urori) waɗanda kayan da aka maye gurbinsu suka shafe aikinsu, misali, lambar na iya ƙunsar ginin kamar 'const cmd = zaɓuɓɓuka.cmd || "/ bin/sh"', za'a canza mahangar ta idan maharin ya sami nasarar musanya kayan "cmd" a cikin samfurin tushen.
Harin nasara yana buƙatar aikace-aikacen na iya amfani da bayanan waje don ƙirƙirar sabuwar kadara a cikin tsarin tushen abin, kuma aiwatarwar ta ci karo da na'urar da ta dogara da kayan da aka gyara. Ana yin canjin samfuri ta hanyar sarrafa kayan sabis na “__proto__” da “ginina” a cikin Node.js. Kaddarar "__proto__" tana mayar da samfurin ajin abun, kuma kadarar "constructor" tana mayar da aikin da aka yi amfani da shi don ƙirƙirar abun.
Idan lambar aikace-aikacen ta ƙunshi aikin "obj[a] [b] = ƙima" kuma an saita ƙimar daga bayanan waje, mai hari zai iya saita "a" zuwa ƙimar "__proto__" kuma ya cimma shigar da kayan nasu. tare da sunan "b" da darajar "darajar" a cikin tushen samfurin abu (obj.__proto__.b = darajar;), kuma dukiyar da aka saita a cikin samfurin za a iya gani a duk abubuwa. Hakazalika, idan lambar ta ƙunshi maganganu kamar "obj[a][b][c] = darajar", ta hanyar saita "a" zuwa ƙimar "ginshiƙi", da "b" zuwa "samfurin" a cikin duk abubuwan da ke akwai, za ku iya. ayyana sabon dukiya tare da sunan "c" da ƙimar "darajar".
Misalin canza samfur: const o1 = {}; const o2 = sabon Abu (); o1.__proto__.x = 42; // ƙirƙirar dukiya “x” a cikin tushen samfurin console.log (o2.x); // samun damar mallakar "x" daga wani abu // fitarwa zai zama 42, tun lokacin da aka canza samfurin tushen ta hanyar abu o1, wanda kuma ake amfani dashi a cikin abu o2.
Misalin lamba mai rauni: shigarwar aikiPoint (arg1, arg2, arg3){const obj = {}; const p = obj[arg1]; p[arg2] = arg3; dawo p; }
Idan hujjar aikin shigarwa an samo asali ne daga bayanan shigarwa, to mai hari zai iya wuce ƙimar "__proto__" zuwa arg1 kuma ya ƙirƙiri dukiya mai kowane suna a cikin samfurin tushen. Idan kun wuce arg2 darajar "toString" kuma kuna arg3 darajar 1, za ku iya ayyana dukiyar "toString" (Object.prototype.toString=1) kuma ku lalata aikace-aikacen yayin kiran toString().
Misalai na yanayi waɗanda zasu iya haifar da aiwatar da lambar harin sun haɗa da ƙirƙirar kaddarorin "manin", "harsashi", "fitarwa", "contextExtensions" da "env". Misali, mai hari zai iya ƙirƙirar “babban” dukiya a cikin tushen samfurin abu, ya rubuta a cikinsa hanyar zuwa rubutunsa (Object.prototype.main = “./../../pwned.js”) da kuma za a kira wannan kadarorin a lokacin aiwatarwa a cikin lambar ginin da ake buƙata ("kunshi na"), idan kunshin da aka haɗa bai fito fili ya ayyana kayan "babban" a cikin kunshin.json (idan ba a bayyana kayan ba, za a samu daga tushen prototype). Ana iya maye gurbin kayan "harsashi", "fitarwa" da "env" kamar haka: bari rootProto = Object.prototype; rootProto["fitarwa"] = {".":"./changelog.js"}; rootProto["1"] = "/hanya/zuwa/npm/scripts/"; // jawo kira yana buƙatar ("/target.js"); Object.prototype.main = "/path/to/npm/scripts/changelog.js"; Object.prototype.shell = "kumburi"; Object.prototype.env = {}; Object.prototype.env.NODE_OPTIONS = "-inspect-brk=0.0.0.0:1337"; // kiran kira yana buƙatar ("bytes");
Masu binciken sun bincika fakitin NPM 10 tare da mafi yawan adadin abin dogaro kuma sun gano cewa 1958 daga cikinsu ba su da babban kadara a cikin kunshin.json, 4420 suna amfani da hanyoyin dangi a cikin bayanan da suke buƙata, kuma 355 kai tsaye suna amfani da API maye gurbin umarni.
Misalin aiki shine cin zarafi don kai hari ga uwar garken Parse wanda ya ketare dukiyar EvalFunctions. Don sauƙaƙe gano irin wannan lahani, an ƙirƙira kayan aiki wanda ya haɗu da tsayayyen hanyoyin bincike. Yayin gwajin Node.js, an gano na'urori 11 da za a iya amfani da su don tsara hare-haren da ke kai ga aiwatar da lambar maharin. Baya ga Parse Server, an kuma gano lahani biyu masu amfani a cikin NPM CLI.
source: budenet.ru