Prototype pollution project yields another Parse Server RCE – The Daily Swig

Cyber Warfare
Russia is ‘failing’ in its mission to destabilize Ukraine’s networks
Hacker-powered security
Human error bugs increasingly making a splash, study indicates
In focus
Software supply chain attacks – everything you need to know
Special report
Inaugural report outlines strengths and weaknesses exposed by momentous security flaw
Chromium site isolation bypass
Flaw that opened the door to cookie modification and data theft resolved
Bug Bounty Radar
The latest programs for September 2022
Cybersecurity conferences
A schedule of events in 2022 and beyond
Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’
Prototype pollution project yields another Parse Server RCE
A prototype pollution vulnerability that could lead to remote code execution (RCE) in Parse Server has been patched.
An attacker could potentially trigger RCE through the MongoDB BSON [Binary JSON] parser by leveraging the flaw (CVE-2022-39396), according to a GitHub security advisory published on November 8.
Parse Server is a popular, open source API server module for Node.js that provides push notification functionality for iOS, macOS, Android, and tvOS.
BACKGROUND Prototype pollution: A dangerous and underrated vulnerability impacting JavaScript applications
Although the security researchers involved are withholding technical details to give developers time to apply patches, so the detail remains unclear, we know the bug is comparable to another prototype pollution-to-RCE issue they disclosed earlier in the year. That vulnerability – which surfaced in March 2022 – was given the highest possible severity rating of CVSS 10.
“I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication,” Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig. “So my advice is to patch Parse Server ASAP, if you have it.”
The flaw has been patched in the NPM parse-server package in versions 4.10.18 and 5.3.1.
The patches prevent prototype pollution in the MongoDB database adapter. If updates cannot be applied immediately, then users can protect themselves in the meantime by disabling RCE through the MongoDB BSON parser.
The flaw was discovered during a research project undertaken by Shcherbakov, KTH colleague Musard Balliu, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany.
The trio investigated how prototype pollution vulnerabilities in Node.js systems might lead to RCE attacks.
“The detection of prototype pollution is a complex task,” said Shcherbakov. “However, the exploitation that demonstrates a high impact of vulnerabilities is more complicated in practice but still possible.”
The researchers have presented their findings, which also feature Node.js targets NPM CLI and Rocket.Chat, in a white paper (PDF). They are due to present their research at the USENIX Security ’23 conference.
Prototype pollution, which affects Node.js and prototype-based languages like JavaScript, involves injecting “properties into an object’s root prototype at runtime [to] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype,” explains the presentation precis.
The researchers set out to find “end-to-end exploits beyond DoS in full-fledged Node.js applications”, and “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets”.
Technical details for the Parse Server RCE will eventually be disclosed via the Trend Micro Zero Day Initiative (ZDI) blog.
Other significant security bugs addressed in Parse Server this year include an issue that enabled brute-force guessing of sensitive user data, and a high severity authentication bypass impacting Apple Game Center.
RELATED Prototype pollution bug exposed Ember.js applications to XSS
Adam Bannister
Burp Suite
© 2022 PortSwigger Ltd.


Leave a Comment