Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Shcherbakov, Mikhail and Balliu, Musard and Staicu, Cristian-Alexandru
(2023) Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js.
In: USENIX Security Symposium 2023.
Conference: USENIX-Security Usenix Security Symposium

[img] Text
sec23summer_432-shcherbakov-prepub.pdf
Download (417kB)

Abstract

Prototype pollution is a dangerous vulnerability affecting prototype-based languages like JavaScript and the Node.js platform. It refers to the ability of an attacker to inject properties into an object's root prototype at runtime and subsequently trigger the execution of legitimate code gadgets that access these properties on the object's prototype, leading to attacks such as Denial of Service (DoS), privilege escalation, and Remote Code Execution (RCE). While there is anecdotal evidence that prototype pollution leads to RCE, current research does not tackle the challenge of gadget detection, thus only showing feasibility of DoS attacks, mainly against Node.js libraries. In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub's static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit eight RCE vulnerabilities in three high-profile applications such as NPM CLI, Parse Server, and Rocket.Chat. Our results provide alarming evidence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Cristian-Alexandru Staicu (CS)
Conference: USENIX-Security Usenix Security Symposium
Depositing User: Cristian-Alexandru Staicu
Date Deposited: 22 Nov 2022 10:48
Last Modified: 29 Nov 2022 14:59
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/3857

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.