Vatsvakurudzi vanobva kuHelmholtz Center for Information Security (CISPA) uye Royal Institute of Technology (Sweden) vakaongorora kushanda kweJavaScript prototype kusvibisa nzira yekugadzira kurwiswa kweNode.js platform uye kushandiswa kwakakurumbira kwakavakirwa pairi, zvichiita kuti code execution.
Iyo prototype yekusvibisa nzira inoshandisa chimiro chemutauro weJavaScript chinokutendera kuti uwedzere zvivakwa zvitsva kumudzi weprototype yechero chinhu. Maapplication anogona kunge aine macode blocks (magajeti) ane mashandiro anokanganisa nechinhu chakatsiviwa; semuenzaniso, iyo kodhi inogona kunge iine chivakwa senge 'const cmd = options.cmd || "/bin/sh"', pfungwa yacho ichashandurwa kana munhu anorwisa akakwanisa kutsiva "cmd" pfuma mumudziyo prototype.
Kurwisa kwakabudirira kunoda kuti chishandiso chishandise data rekunze kugadzira chivakwa chitsva mumudzi wechinhu, uye kuuraya ikoko kunosangana negajeti zvinoenderana neyakagadziridzwa pfuma. Kuchinja prototype kunoitwa nekugadzirisa "__proto__" uye "muvaki" sevhisi zvivakwa muNode.js. "__proto__" pfuma inodzosa prototype yekirasi yechinhu, uye "muvaki" pfuma inodzosera basa rakashandiswa kugadzira chinhu.
Kana iyo kodhi yekunyorera iine basa rekuti "obj[a][b] = kukosha" uye kukosha kwakaiswa kubva kunze data, anorwisa anogona kuseta "a" kune kukosha "__proto__" uye kuzadzisa kuisirwa kwepfuma yavo. ine zita rekuti "b" uye kukosha kwe "value" mumudzi weprototype yechinhu (obj.__proto__.b = kukosha;), uye pfuma yakaiswa muiyo prototype ichaonekwa muzvinhu zvese. Saizvozvo, kana kodhi ine mazwi akadai se "obj[a][b][c] = kukosha", nekuisa "a" kune "muvaki" kukosha, uye "b" ku "prototype" muzvinhu zvese zviripo, unokwanisa. tsanangura chivakwa chitsva chine zita "c" uye kukosha "kukosha".
Muenzaniso wekushandura prototype: const o1 = {}; const o2 = new Object(); o1.__proto__.x = 42; // gadzira chivakwa "x" mumudzi prototype console.log (o2.x); // kuwana pfuma "x" kubva kune chimwe chinhu // chinobuda chichave 42, sezvo mudzi weprototype wakachinjwa kuburikidza nechinhu o1, chinoshandiswawo muchinhu o2.
Muenzaniso wekodhi ine njodzi: basa rekupindaPoint (arg1, arg2, arg3){const obj = {}; const p = obj[arg1]; p[arg2] = arg3; return p; }
Kana iyo entryPoint basa nharo dzikaumbwa kubva pakuisa data, zvino anorwisa anogona kupfuudza kukosha "__proto__" ku arg1 uye kugadzira chivakwa chine chero zita mumudzi prototype. Kana ukapasa arg2 kukosha kwe "toString" uye arg3 kukosha 1, unokwanisa kutsanangura "toString" pfuma (Object.prototype.toString=1) uye kukanganisa purogiramu panguva yekufona kuString().
Mienzaniso yemamiriro ezvinhu anogona kutungamira kukuuraya kodhi yeanorwisa anosanganisira kugadzirwa kwe "main", "shell", "exports", "contextExtensions" uye "env" zvivakwa. Semuenzaniso, munhu anorwisa anogona kugadzira "main" midziyo mumudzi weprototype yechinhu, achinyora mairi nzira yekunyora kwake (Object.prototype.main = "./../../pwned.js") uye iyi pfuma ichadaidzwa panguva yekuurayiwa mukodhi yekuvaka inoda("yangu-package"), kana iyo inosanganisirwa pasuru isingatsanangure zvakajeka iyo "main" pfuma mu package.json (kana iyo pfuma isina kutsanangurwa, ichawanikwa kubva kumudzi prototype). Iyo "shell", "exports" uye "env" zvivakwa zvinogona kutsiviwa zvakafanana: let rootProto = Object.prototype; rootProto["exports"] = {".":"./changelog.js"}; rootProto["1"] = "/path/to/npm/scripts/"; // trigger call inoda("./target.js"); Object.prototype.main = "/path/to/npm/scripts/changelog.js"; Object.prototype.shell = "node"; Object.prototype.env = {}; Object.prototype.env.NODE_OPTIONS = "-inspect-brk=0.0.0.0:1337"; // trigger call inoda ("bytes");
Vatsvakurudzi vakaongorora 10 NPM mapakeji ane huwandu hukuru hwekutsamira uye vakawana kuti 1958 vavo havana pfuma huru mupakeji.json, 4420 vanoshandisa nzira dzehukama mune zvavanoda zvirevo, uye makumi matatu nemashanu vanoshandisa zvakananga API yekutsiva yekuraira.
Muenzaniso unoshanda ndeye kurwisa Parse Server backend iyo inodarika evalFunctions pfuma. Kurerutsa kuzivikanwa kwekusagadzikana kwakadaro, kiti yezvishandiso yakagadzirwa iyo inosanganisa static uye ine simba yekuongorora nzira. Panguva yekuyedzwa kweNode.js, 11 gadget dzakaonekwa dzinogona kushandiswa kuronga kurwiswa kunotungamira mukuitwa kwekodhi yeanorwisa. Pamusoro peParse Server, kusadzivirirwa kuviri kwakaonekwa zvakare muNPM CLI.
Source: opennet.ru