search

lyft / clutch

Extensible platform for infrastructure management
https://clutch.sh
Apache License 2.0
1.7k stars 120 forks source link

frontend: Fixing vulnerability protobufjs Prototype Pollution #3140

Closed functionofpwnosec closed 4 weeks ago

functionofpwnosec commented 1 month ago

Description

A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas was about Object.__proto__.<new-property> = ...; instead.

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

Vulnerability Description

Using the parse function

const protobuf = require("protobufjs");
protobuf.parse('option(a).constructor.prototype.verified = true;');
console.log({}.verified);
// returns true
  1. Using the setParsedOption function of a ReflectionObject 
    const protobuf = require("protobufjs");
function gadgetFunction(){
console.log("User is authenticated");
}
// This will fail, but also pollute the prototype of Object
try {
let obj = new protobuf.ReflectionObject("Test");
obj.setParsedOption("unimportant!", gadgetFunction, "constructor.prototype.testFn");
} catch (e) {}
// Now we can make use of the new function on the polluted prototype 
const a = {};
a.testFn();
// Prints "User is authenticated" to the console.

    Using the function util.setProperty

    const protobuf = require("protobufjs");
protobuf.util.setProperty({}, "constructor.prototype.verified", true);
console.log({}.verified);
// returns true

    Impact and Risks

    An attacker-controlled object, e.g. data in JSON format received over the network and parsed by the application using tree-kit's extend function, can be used to pollute the prototype of the Object.prototype by adding and overwriting its data and functions. These data and functions will be available in all objects created henceforth. Depending on the application that uses the tree-kit library, this vulnerability can result in follow-up issues, such as:

    • Remote code execution (RCE)
    • Denial of service attack (DoS) by overriding some built-in functions (e.g. toString)
    • Authentication/validation bypass
    • Privilege escalation
    • Cross-site scripting (XSS)

CVE-2023-36665 CWE-1321

github-actions[bot] commented 1 month ago

This PR has been marked as stale after 7 or more days of inactivity. Please have a maintainer add the on hold label if this PR should remain open. If there is no further activity or the on hold label is not added, this PR will be closed in 3 days.