A chain of exploits could be triggered without any authentication
The new bug, discovered and reported by Sonar researchers, allowed attackers to manipulate Blitz.js application code to create a reverse shell and execute arbitrary commands on the server.
Prototype Vulnerability in Dependencies
“Blitz.js is an upcoming JS framework that has gained traction on GitHub,” said Paul Gerste, vulnerability researcher at Sonar. The daily sip. “We selected it to help secure its codebase and study real-world vulnerabilities.”
Blitz is built on Next.js, a React-based framework, and adds components to make it a complete web development platform.
One of the advertised features of Blitz.js is its “Zero-API” layer, which allows the client to invoke server-side business logic through simple functions without having to write API code.
Blitz.js makes an RPC call to the server in the background and returns the response to the client function call.
“Blitz.js adds an RPC layer on top of Next.js (among other features), and this layer uses superjson to deserialize incoming request data. The vulnerability is entirely inside superjson,” Gerste said.
As an extended version of JSON, superjson adds support for dates, regexes, and circular dependencies. The circular dependency feature allows JSON specifications to reference property names, which caused the vulnerability in the prototype. An attacker could use these property names to modify code running on the server.
RCE on Blitz Servers
Gerste discovered a chain of exploits that could be triggered by the pollution vulnerability prototype and lead to RCE.
Learn about the latest infosec research news
The attacker could use this function to launch a CLI process and execute an arbitrary command on the server.
Prototype pollution in Blitz.js (Image: sonarsource.com)
What makes this vulnerability particularly dangerous is that it can be triggered without any authentication, which means that any user who can access the Blitz.js application will be able to launch RCE attacks.
“An attacker would have the same level of privilege as the vulnerable application,” Gerste said. “So if the app is running as root, the attacker would also have root privileges.”
Prototype pollution bugs often act in very complicated ways. For example, in the case of Blitz.js, the CLI wrapper object was not vulnerable on its own but could be abused by the pollution bug prototype.
“This attack technique exploits a code pattern that is not a vulnerability per se,” Gerste said. “Prototype pollution can influence the target application in a very invasive way, and it would take a lot of work to get rid of all the code that could be influenced by prototype pollution.”
YOU MIGHT ALSO LIKE Microsoft Teams security vulnerability left users open to XSS via faulty stickers feature