Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Presented at DEF CON 31 (2023), Aug. 12, 2023, 5 p.m. (20 minutes)

Many have heard about Prototype Pollution vulnerabilities in JavaScript applications. This kind of vulnerability allows an attacker to inject properties into an object's root prototype that may lead to flow control alteration and unexpected program behavior. Every time a successful exploit looks like magic or is limited to a denial of service (DoS). Would you be surprised if I told you that every application has a chain of methods that can be triggered by Prototype Pollution and leads to arbitrary code execution? Such gadgets populated Node.js core code and popular NPM packages. Keep calm. Not every app can be exploited! However, this fact increases the risk of exploitation many times over. In our research, we studied Prototype Pollution beyond DoS and analyzed Node.js source code against the gadgets. We then analyzed 15 popular Node.js apps from GitHub and got 8 RCEs. Through this talk, I will elaborate on the detected gadgets and vulnerabilities. We will also take a look at how the recent changes in Node.js mitigate these issues. REFERENCES: Mikhail Shcherbakov, Musard Balliu and Cristian-Alexandru Staicu "Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js" https://github.com/yuske/silent-spring/blob/master/silent-spring-full-version.pdf Gareth Heyes "Server-side prototype pollution: Black-box detection without the DoS" https://portswigger.net/research/server-side-prototype-pollution Michał Bentkowski "Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609)" https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/ Olivier Arteau "Prototype Pollution Attack in NodeJS application" https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

Presenters:

• Mikhail Shcherbakov - KTH Royal Institute of Technology
  Mikhail Shcherbakov came to security from enterprise app development. The tendency is to push it as far as you can… He is now doing a Ph.D. in Language-Based Security after 10+ years of experience in the industry. He participated in Microsoft, GitHub, and open-source bug bounty programs, found vulnerabilities in popular products, and helped to fix them. Before starting a Ph.D. program, he focused on .NET and web security, gave talks at conferences, organized IT meetups, and got the Microsoft MVP Award in 2016 – 2018. Mikhail is an author of commercial static analysis tools and continues research in program analysis.
• Musard Balliu - KTH Royal Institute of Technology

Links:

• https://forum.defcon.org/node/246117

Similar Presentations:

• DEF CON 24 (2016) / Examining the Internet's pollution
• DEF CON 28 (2020) Virtual / Discovering Hidden Properties to Attack Node.js ecosystem
• Black Hat USA 2020 Virtual / Discovering Hidden Properties to Attack the Node.js Ecosystem