Pollution of prototypes in Blitz.js leads to remote code execution


A chain of exploits could be triggered without any authentication

Blitz.js, a JavaScript web application framework, has fixed a dangerous prototype pollution vulnerability that could lead to remote code execution (RCE) on Node.js servers.

Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit programming language rules to modify the behavior of an application and compromise it in various ways.

The new bug, discovered and reported by Sonar researchers, allowed attackers to manipulate Blitz.js application code to create a reverse shell and execute arbitrary commands on the server.

Prototype Vulnerability in Dependencies

“Blitz.js is an upcoming JS framework that has gained traction on GitHub,” said Paul Gerste, vulnerability researcher at Sonar. The daily sip. “We selected it to help secure its codebase and study real-world vulnerabilities.”

Blitz is built on Next.js, a React-based framework, and adds components to make it a complete web development platform.

DEEP DIVES Prototype Pollution: The Dangerous and Underappreciated Vulnerability Affecting JavaScript Applications

One of the advertised features of Blitz.js is its “Zero-API” layer, which allows the client to invoke server-side business logic through simple functions without having to write API code.

Blitz.js makes an RPC call to the server in the background and returns the response to the client function call.

“Blitz.js adds an RPC layer on top of Next.js (among other features), and this layer uses superjson to deserialize incoming request data. The vulnerability is entirely inside superjson,” Gerste said.

As an extended version of JSON, superjson adds support for dates, regexes, and circular dependencies. The circular dependency feature allows JSON specifications to reference property names, which caused the vulnerability in the prototype. An attacker could use these property names to modify code running on the server.

RCE on Blitz Servers

Gerste discovered a chain of exploits that could be triggered by the pollution vulnerability prototype and lead to RCE.

First, a polluted JSON request is sent to the server, which triggers Blitz.js’ routing mechanism to load a JavaScript file with the polluted prototype. This allows the attacker to use the malicious JavaScript object to execute arbitrary code.

Learn about the latest infosec research news

Ideally, an attacker would create and execute a file on the server. But Blitz.js does not support download functionality. However, it has a CLI wrapper script that uses the JavaScript function to launch a new process.

The attacker could use this function to launch a CLI process and execute an arbitrary command on the server.

Prototype Pollution in Blitz.js

Prototype pollution in Blitz.js (Image: sonarsource.com)

What makes this vulnerability particularly dangerous is that it can be triggered without any authentication, which means that any user who can access the Blitz.js application will be able to launch RCE attacks.

“An attacker would have the same level of privilege as the vulnerable application,” Gerste said. “So if the app is running as root, the attacker would also have root privileges.”

complicated bug

Prototype pollution bugs often act in very complicated ways. For example, in the case of Blitz.js, the CLI wrapper object was not vulnerable on its own but could be abused by the pollution bug prototype.

“This attack technique exploits a code pattern that is not a vulnerability per se,” Gerste said. “Prototype pollution can influence the target application in a very invasive way, and it would take a lot of work to get rid of all the code that could be influenced by prototype pollution.”

In his description of the bug, Gerste gives some general recommendations that can harden JavaScript applications against prototype pollution, including freezing or flagging in Node.js.

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste said. “I don’t see developers using the templates we recommended in our article very often. With our blog posts, we try to help educate JavaScript developers and share that knowledge. »

YOU MIGHT ALSO LIKE Microsoft Teams security vulnerability left users open to XSS via faulty stickers feature


About Author

Comments are closed.