Bafuputsi ba Helmholtz Center for Information Security (CISPA) le Royal Institute of Technology (Sweden) ba ile ba hlahloba ts'ebetso ea mokhoa oa tšilafalo ea mohlala oa JavaScript ho theha litlhaselo sethaleng sa Node.js le likopo tse ratoang tse thehiloeng ho eona, tse lebisang ho ts'ebetsong ea khoutu.
Mokhoa oa ho silafatsa oa mohlala o sebelisa karolo ea puo ea JavaScript e o lumellang ho kenya lintho tse ncha ho mofuta oa ntho efe kapa efe. Likopo li ka ba le li-code blocks (lisebelisoa) tseo tšebetso ea tsona e angoang ke thepa e nketsoeng sebaka, mohlala, khoutu e ka ba le moaho o kang 'const cmd = options.cmd || "/bin/sh"', mohopolo oa ona o tla fetoloa haeba mohlaseli a khona ho beha "cmd" sebakeng sa prototype ea motso.
Tlhaselo e atlehileng e hloka hore sesebelisoa se sebelise data ea kantle ho theha thepa e ncha molemong oa motso oa ntho, le hore ts'ebetso e kopane le sesebelisoa se itšetlehileng ka thepa e fetotsoeng. Ho fetola mohlala ho finyelloa ka ho sebetsana le "__proto__" le "mohahi" thepa ea litšebeletso ho Node.js. Thepa ea "__proto__" e khutlisa mohlala oa sehlopha sa ntho, 'me thepa ea "mohahi" e khutlisa mosebetsi o sebelisitsoeng ho bopa ntho.
Haeba khoutu ea kopo e na le kabelo "obj[a][b] = value" mme boleng bo behiloe ho tsoa ho data ea kantle, mohlaseli a ka beha "a" ho boleng "__proto__" mme a fihlelle ho kengoa ha thepa ea hae. ka lebitso "b" le boleng "boleng" motsong oa prototype ea ntho (obj.__proto__.b = boleng;), 'me thepa e behiloeng setšoantšong e tla bonahala linthong tsohle. Ka mokhoa o ts'oanang, haeba khoutu e na le lipolelo tse kang "obj[a][b][c] = value", ka ho beha "a" ho boleng ba "mohahi", le "b" ho "prototype" linthong tsohle tse teng, u ka khona. hlalosa thepa e ncha ka lebitso "c" le boleng "boleng".
Mohlala oa ho fetola mohlala: const o1 = {}; const o2 = Ntho e ncha (); o1.__proto__.x = 42; // theha thepa "x" motso oa prototype console.log (o2.x); // ho fumana thepa "x" ho tsoa nthong e 'ngoe // tlhahiso e tla ba 42, kaha prototype ea motso e fetotsoe ka ntho o1, e sebelisoang hape nthong o2.
Mohlala oa khoutu e tlokotsing: mosebetsi entryPoint (arg1, arg2, arg3){ const obj = {}; const p = obj[arg1]; p[arg2] = arg3; khutlisetsa p; }
Haeba lintlha tsa tšebetso ea entryPoint li thehoa ho tsoa ho data e kentsoeng, mohlaseli a ka fetisa boleng "__proto__" ho arg1 le ho theha thepa e nang le lebitso lefe kapa lefe motsong oa prototype. Haeba o fetisa arg2 boleng ba "toString" mme o arg3 boleng ba 1, o ka hlalosa thepa ea "toString" (Object.prototype.toString=1) ebe o senya ts'ebeliso nakong ea mohala o eang hoString().
Mehlala ea maemo a ka lebisang ts'ebetsong ea khoutu ea mohlaseli e kenyelletsa tlhahiso ea "main", "shell", "exports", "contextExtensions" le "env" thepa. Ka mohlala, mohlaseli a ka etsa thepa ea "ka sehloohong" motsong oa motsoako oa ntho, a ngola ho eona tsela e eang ho script (Object.prototype.main = "./../../pwned.js") le thepa ena e tla bitsoa ka nako ea ts'ebetsong ka khoutu ea construct hloka("my-package"), haeba sephutheloana se kenyelelitsoeng se sa hlalose ka ho hlaka thepa ea "ka sehloohong" ka har'a package.json (haeba thepa e sa hlalosoa, e tla fumanoa ho tsoa ho prototype ea motso). Thepa ea "shell", "exports" le "env" e ka nkeloa sebaka ka ho tšoana: let rootProto = Object.prototype; rootProto["exports"] = {".":"./changelog.js"}; rootProto["1"] = "/path/to/npm/scripts/"; // trigger call e hloka("./target.js"); Object.prototype.main = "/path/to/npm/scripts/changelog.js"; Object.prototype.shell = "node"; Object.prototype.env = {}; Object.prototype.env.NODE_OPTIONS = "-inspect-brk=0.0.0.0:1337"; // trigger call e hloka ("byte");
Bafuputsi ba ile ba hlahloba liphutheloana tsa NPM tse 10 tse nang le palo e kholo ka ho fetisisa ea ba itšetlehileng ka eona 'me ba fumana hore 1958 ea bona ha e na thepa e kholo ka har'a package.json, 4420 e sebelisa litsela tse amanang le lipolelo tsa bona tse hlokang, le 355 ka ho toba e sebelisa taelo ea ho fetola API.
Mohlala o sebetsang ke ts'ebetso ea ho hlasela karolo e ka morao ea Server ea Parse e fetang thepa ea evalFunctions. Ho nolofatsa ho tsebahatsa bofokoli bo joalo, ho entsoe bukana ea lithulusi e kopanyang mekhoa ea tlhahlobo e tsitsitseng le e matla. Nakong ea tlhahlobo ea Node.js, ho ile ha fumanoa lisebelisoa tsa 11 tse ka sebelisoang ho hlophisa litlhaselo tse lebisang ho phethoeng ha khoutu ea mohlaseli. Ho phaella ho Server ea Parse, ho ile ha fumanoa mefokolo e 'meli e ka sebelisoang ho NPM CLI.
Source: opennet.ru