ØxOPOSɆC Mɇɇtuᵽ - [INIT] - The Gathering

Renato Rodrigues - @SiMpS0N- 11-02-2016

Step In
SSJS Injection
NODE BLEED

What is NodeJS? 

aka

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. 

Node.js is a runtime environment for running JavaScript application outside the browser, so, JavaScript on the server-side.

SSJS Injection

Server-Side JavaScript Injection

In short it's like a Cross-Site Scripting (XSS), our code will land on the server and we hope to get an execution sink.

 

In the end of the day it's all about:

eval()

The eval() function evaluates or executes an argument.  If the argument is an expression, eval() evaluates the expression. If the argument is one or more JavaScript statements, eval() executes the statements.

Reference: http://www.w3schools.com/jsref/jsref_eval.asp

Why people use eval in 2016

Convert JSON text into an Object

Make logic flows

var jsondata = eval("("+JSON-String+")");
...
xhReq.onreadystatechange = function()
{
	if (xhReq.readyState == 4)
	{
		if(passReply)
		{
			if(asXML)
			{
				eval(callback + "(xhReq.responseXML);");
			}else{
				eval(callback + "(xhReq.responseText);");
			}
		}else{
			eval(callback + "();");
		}
	}
}
xhReq.send(null);
...

But Remember eval is not alone

 

($=>{return inj})()

new Promise($=>inj)

function a(a=inj){}; a();

To schedule execution of a one-time callback after delay milliseconds. Optionally you can also pass arguments to the callback.

setTimeout(inj,delay)

To schedule the repeated execution of callback every delay milliseconds. Optionally you can also pass arguments to the callback.

setInterval(inj,delay)

Reference: https://millermedeiros.github.io/mdoc/examples/node_api/doc/timers.html

Hands On

eval() is our friend and JSON just came along.

😈

https://gist.github.com/Simpsonpt/ed4f6cf8ebe269ba29d7

Node Bleed

Node Process Memory Disclosure

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

Reference: http://heartbleed.com/

Tell me more

Today, the Node.js Buffer constructor is overloaded to handle many different argument types like String, Array, Object, TypedArrayView (Uint8Array, etc.), ArrayBuffer, and also Number.  The API is optimized for convenience: you can throw any type at it, and it will try to do what you want. 

Raw data is stored in instances of the Buffer class. A Buffer is similar to an array of integers but corresponds to a raw memory allocation outside the V8 heap. A Buffer cannot be resized.  The Buffer object is global.

Buffers

But what happens if we call with a Number Argument?

new Buffer()

Reference: https://github.com/nodejs/node/issues/4660

Hands On

Abusing Buffer API for fun and profit.

😈

https://gist.github.com/Simpsonpt/ed4f6cf8ebe269ba29d7

Thank you! 

😇

Node.js Problems in Paradise

By Renato Rodrigues

Node.js Problems in Paradise

Don't let Node.js ruin your day or let it, it will be fun! - Short Talk for 0xOPOSEC Meetup

  • 3,099