ANHKWAR (3)
Last Login: August 10, 2024
ANHKWAR's Latest (1) Contributions
Technical Analysis
I don’t know what kind of expression is officially used, but it is a vulnerability that can change common objects.
When I tried it on the console, it became as follows.
Prepare the variables of test1 and test2, and assign the character string to the test of “proto” of test1.
Then, test2 will also display the character string assigned to test1.
I don’t know what the specifications are, but the same phenomenon occurs when using “proto” for the elements of the array.
If you assign {“admin”: 123456} to test [“__ proto__”], the admin property will be created in test, and only the assigned value will be entered (123456 in this example).
If you assign {“user”: 999999} to test [“user”], the user property will be created in test, and the assigned JSON itself will be entered.
———————————————————————————–+
Impact
Existing properties may be added or modified.
As a result, it can lead to DoS and remote code execution.
Also, changing properties can lead to logic evasion and privilege escalation.
First of all, I downloaded 3.3.1 and 3.4.1 to check the phenomenon.
By using the verification code in the following article, we were able to confirm the operation of the vulnerability.
let a = $.extend(true, {}, JSON.parse(‘{”proto”: {“devMode”: true}}’))
console.log({}.devMode);
The result of console.log.
3.3.1
true
3.4.1
undefined
Confirmation of correction points
Since I was able to confirm the operation, I decided to confirm the correction points.
As I noticed, verification was added to see if the name was “proto”.
When I tried removing this validation, prototype pollution occurred.
I’m not familiar with javascript, so I can’t understand what I’m doing just by reading the source code.
Let’s actually look at the data handled in the process.
Since I was checking the contents of “name”, let’s see what the name is.
A lot came out.
After a little research, it looks like a jQuery function.
“Proto” is also included.
Since name contains “proto”, look for the place where you are using name as an element of the array and assigning it.
Since there were two places, I set console.log.
The results came out messed up so I filtered it.
It was the first place that used “proto”.
I made a pinpoint fix to show devMode and the content was nicely displayed.