Cov kws tshawb fawb los ntawm Helmholtz Center for Information Security (CISPA) thiab Royal Institute of Technology (Sweden) tau tshuaj xyuas qhov kev siv tau ntawm JavaScript qauv kev ua qias tuaj los tsim kev tawm tsam ntawm Node.js platform thiab nrov daim ntawv thov raws li nws, ua rau kev ua txhaum cai.
Cov qauv kev ua qias tuaj siv cov yam ntxwv ntawm cov lus JavaScript uas tso cai rau koj ntxiv cov khoom tshiab rau lub hauv paus qauv ntawm txhua yam khoom. Cov ntawv thov tuaj yeem muaj cov lej thaiv (gadgets) uas nws txoj haujlwm cuam tshuam los ntawm cov cuab yeej hloov pauv; piv txwv li, cov cai yuav muaj qhov tsim xws li 'const cmd = options.cmd || "/bin/sh"', lub logic uas yuav hloov pauv yog tias tus neeg tawm tsam tswj hwm los hloov cov khoom "cmd" hauv cov qauv hauv paus.
Kev ua tiav kev tawm tsam yuav tsum muaj daim ntawv thov tuaj yeem siv cov ntaub ntawv sab nraud los tsim cov cuab yeej tshiab hauv cov khoom hauv paus qauv, thiab qhov kev tua ntawd ntsib cov khoom siv uas nyob ntawm cov khoom hloov kho. Hloov cov qauv yog ua tiav los ntawm kev ua "__proto__" thiab "constructor" cov khoom pabcuam hauv Node.js. Cov cuab yeej "__proto__" rov qab cov qauv ntawm cov khoom hauv chav kawm, thiab cov cuab yeej "constructor" rov qab ua haujlwm siv los tsim cov khoom.
Yog tias daim ntawv thov code muaj cov haujlwm "obj[a][b] = tus nqi" thiab cov txiaj ntsig tau teeb tsa los ntawm cov ntaub ntawv sab nraud, tus neeg tawm tsam tuaj yeem teeb "a" rau tus nqi "__proto__" thiab ua tiav kev teeb tsa ntawm lawv tus kheej cov cuab yeej. nrog lub npe "b" thiab tus nqi "tus nqi" nyob rau hauv lub hauv paus qauv ntawm cov khoom (obj.__proto__.b = tus nqi;), thiab cov cuab yeej teev nyob rau hauv tus qauv yuav pom nyob rau hauv tag nrho cov khoom. Ib yam li ntawd, yog tias tus lej muaj cov kab lus xws li "obj[a][b][c] = tus nqi", los ntawm kev teeb tsa "a" rau "constructor" tus nqi, thiab "b" rau "tus qauv" hauv txhua yam khoom uas twb muaj lawm, koj tuaj yeem ua tau. txhais cov cuab yeej tshiab nrog lub npe "c" thiab tus nqi "tus nqi".
Piv txwv ntawm kev hloov tus qauv: const o1 = {}; const o2 = new Object(); o1.__proto__.x = 42; // tsim cov cuab yeej "x" hauv paus qauv console.log (o2.x); // nkag cov cuab yeej "x" los ntawm lwm yam khoom // qhov tso zis yuav yog 42, txij li lub hauv paus qauv tau hloov los ntawm cov khoom o1, uas kuj tseem siv rau hauv cov khoom o2.
Piv txwv ntawm qhov tsis muaj zog code: function entryPoint (arg1, arg2, arg3){ const obj = {}; const p = obj[arg1]; p[arg2] = arg3; rov p; }
Yog tias qhov kev sib cav entryPoint muaj nuj nqi yog tsim los ntawm cov ntaub ntawv nkag, ces tus neeg tawm tsam tuaj yeem hla tus nqi "__proto__" rau arg1 thiab tsim cov cuab yeej nrog txhua lub npe hauv paus qauv. Yog tias koj dhau arg2 tus nqi "toString" thiab arg3 tus nqi 1, koj tuaj yeem txhais cov cuab yeej "toString" (Object.prototype.toString=1) thiab tsoo daim ntawv thov thaum hu rau toString().
Piv txwv ntawm cov xwm txheej uas tuaj yeem ua rau kev tawm tsam kev ua txhaum cai suav nrog kev tsim cov "lub ntsiab", "plhaub", "exports", "contextExtensions" thiab "env" cov khoom. Piv txwv li, tus neeg tawm tsam tuaj yeem tsim cov cuab yeej "main" hauv lub hauv paus qauv ntawm ib qho khoom, sau rau hauv nws txoj hauv kev rau nws tsab ntawv (Object.prototype.main = "./../../pwned.js") thiab cov cuab yeej no yuav raug hu thaum lub sijhawm ua tiav hauv cov cai ntawm kev tsim tsim ("my-pob"), yog tias cov pob khoom suav nrog tsis qhia meej meej cov cuab yeej "main" hauv package.json (yog tias cov cuab yeej tsis tau txhais, nws yuav tau txais los ntawm lub hauv paus qauv). Lub "plhaub", "exports" thiab "env" cov khoom tuaj yeem hloov tau zoo ib yam: cia rootProto = Object.prototype; rootProto["exports"] = {".":"./changelog.js"}; rootProto["1"] = "/path/to/npm/scripts/"; // trigger call require("./target.js"); Object.prototype.main = "/path/to/npm/scripts/changelog.js"; Object.prototype.shell = "node"; Object.prototype.env = {}; Object.prototype.env.NODE_OPTIONS = "βinspect-brk=0.0.0.0:1337"; // trigger call require("bytes");
Cov kws tshawb fawb tau tshuaj xyuas 10 NPM pob nrog cov neeg nyob hauv ntau tshaj plaws thiab pom tias 1958 ntawm lawv tsis muaj cov cuab yeej tseem ceeb hauv package.json, 4420 siv cov txheeb ze taug kev hauv lawv cov lus xav tau, thiab 355 ncaj qha siv API rau kev hloov pauv.
Ib qho piv txwv ua haujlwm yog kev siv rau kev tawm tsam Parse Server backend uas overrides cov cuab yeej evalFunctions. Txhawm rau ua kom yooj yim rau kev txheeb xyuas qhov tsis zoo no, cov cuab yeej cuab yeej tau tsim los ua ke nrog cov txheej txheem kev soj ntsuam zoo li qub thiab dynamic. Thaum kuaj ntawm Node.js, 11 gadgets tau txheeb xyuas uas tuaj yeem siv los teeb tsa kev tawm tsam uas ua rau kev ua tiav ntawm tus neeg tawm tsam cov cai. Ntxiv nrog rau Parse Server, ob qhov kev ua tsis tau zoo kuj tau txheeb xyuas hauv NPM CLI.
Tau qhov twg los: opennet.ru