Nodejs protobufjs, Prototype Pollution, CVE-2023-36665 (Critical)

Listen to this Post

How CVE-2023-36665 Works

  1. protobufjs is a JavaScript implementation of Protocol Buffers for Node.js and browsers.
  2. The library uses plain JavaScript objects with inherited prototypes for internal type lookup tables, which are used by generated encode and decode functions.
  3. If an attacker first pollutes `Object.prototype` with a separate prototype pollution primitive, those lookup tables will resolve attacker-controlled inherited properties as valid protobuf type information.
  4. This causes attacker-controlled strings to be emitted into the generated JavaScript code for message encoding/decoding.

5. The vulnerability can be triggered through:

  • The `parse` function that parses protobuf messages on the fly.
  • Loading `.proto` files using `load` or loadSync.
  • Supplying untrusted input to `ReflectionObject.setParsedOption` or util.setProperty.
  1. When an attacker provides a malicious protobuf message, they can add or overwrite properties on Object.prototype, affecting all objects in the application.
  2. Once `Object.prototype` is polluted, the internal type lookup behavior of protobufjs is altered.
  3. This can lead to arbitrary JavaScript execution when the application later encodes or decodes messages using the affected functions.
  4. The vulnerability requires a separate prototype pollution primitive to first pollute `Object.prototype` before protobufjs is used.
  5. Applications without a reachable prototype pollution primitive are not directly exploitable.
  6. The vulnerability affects protobufjs versions 6.10.0 through 6.11.4 and 7.0.0 through 7.2.4.
  7. It was fixed in version 7.2.5 for the 7.x branch and 6.11.4 for the 6.x branch.
  8. The vulnerability was discovered by Peter Samarin using Jazzer.js and reported on June 25, 2023.
  9. It was patched by maintainers on June 27, 2023.
  10. The vulnerability has a CVSS score of 9.8 (Critical) and is categorized as a prototype pollution vulnerability (CWE-1321).

DailyCVE Form:

Platform: Node.js
Version: 6.10.0-7.2.4
Vulnerability: Prototype Pollution
Severity: Critical
Date: 2023-07-05

Prediction: Patch expected by 2023-06-27

What Undercode Say:

Check protobufjs version
npm list protobufjs
Scan for vulnerable versions
npm audit | grep protobufjs
Exploitation PoC using parse
const protobuf = require("protobufjs");
protobuf.parse('option(a).constructor.prototype.verified = true;');
console.log({}.verified); // returns true
PoC with loadSync
poc.proto file contains: option(foo).constructor.prototype.verified = true;
protobuf.loadSync("poc.proto");
console.log({}.verified); // true
Polluting via setParsedOption
let obj = new protobuf.ReflectionObject("Test");
obj.setParsedOption("unimportant!", gadgetFunction, "constructor.prototype.testFn");

Exploit:

An attacker can send a specially crafted protobuf message that injects properties into Object.prototype. For example, by setting constructor.prototype.verified = true, the property becomes available on all objects. Depending on the application logic, this can bypass security checks, override critical functions, or enable gadget chains for full remote code execution. The lack of input sanitization allows the attacker to embed arbitrary JavaScript payloads into the prototype chain.

Protection from this CVE:

  • Upgrade protobufjs to version 7.2.5 or higher (or 6.11.4 for the 6.x branch).
  • If immediate upgrade is not possible, remove or mitigate any reachable prototype pollution primitives in the application.
  • Isolate schema and message processing from untrusted application state.
  • Use `Object.freeze(Object.prototype)` as a temporary mitigation.
  • Implement strict input validation for all user-supplied data used in protobuf parsing.
  • Run `npm audit fix` to automatically update vulnerable dependencies.

Impact:

Successful exploitation allows an attacker to pollute Object.prototype, affecting all objects in the JavaScript environment. This can lead to:
– Remote code execution (RCE) via gadget chains.
– Denial of service (DoS) by overriding built-in functions like toString.
– Authentication and authorization bypass.
– Privilege escalation.
– Cross-site scripting (XSS) in browser environments.
– Manipulation of application data and logic.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top