What is Remote Code Execution?
Before diving into the story about the Bug Hunter who discovered a Node JS RCE on one of PayPal’s subdomains, let’s first discuss Remote Code Execution (RCE).
So, imagine you have a computer or server that runs a program or website. This program or website has a little bug that a hacker can exploit. They can use this bug to sneakily send their own code to your computer, which will then execute it without your permission. This means that the hacker can do pretty much whatever they want on your computer – they could steal your data, take control of your computer, or just cause some general mayhem.
This kind of attack is called Remote Code Execution because the hacker is sending their code from a remote location, like their own computer or another server somewhere else. And because they’re executing their code on your computer, it’s like they’re right there in front of it, controlling it themselves.
The Story
A security researcher, Michael Stepankin recently discovered a Node JS RCE vulnerability in the demo server for PayPal’s web application created with Node.js.
The vulnerability was discovered through the process of fuzzing all HTTP parameters during a security assessment. The demo server was responding differently to requests that contained ” and ‘%0a‘, throwing a ‘syntax error’ in the responses.
Upon further investigation, the researcher discovered that the PayPal application uses Dust.js, a JavaScript templating engine on the server side.
The older version of Dust.js supports “if” helpers, which are used to evaluate expressions in the code. The “if” helper uses JavaScript eval for complex expression evaluation.
This means that if an attacker can supply input directly to the eval() function, they can execute arbitrary JavaScript code. When he sent a request to the website, the application tried to evaluate the following javascript expression: eval(“‘xxx’ == ‘desktop'”). This threw a syntax error.
The researcher also found that the application replaces certain dangerous characters like single quote and double quote with with HTML encoding to prevent direct input to eval(). However, the researcher discovered that if the “s” parameter is not a string, the application is vulnerable to Node JS RCE attack.
The researcher sent a request with an Array as the “device” parameter instead of a string and was able to retrieve the “/etc/passwd” file from the server. This showed that the website was vulnerable to a Node.js code injection.
This highlights the importance of properly handling user input and checking for potential vulnerabilities in server-side applications.
How to Prevent Command Execution/RCE?
To prevent Command Execution/RCE vulnerabilities, you can take the following steps:
- Keep your software up to date: Make sure to always use the latest version of your software and apply security patches as soon as they are released. Outdated software can contain known vulnerabilities that can be exploited by attackers.
- Implement input validation: Validate all user input and ensure that it meets the expected format and data type. This can prevent attackers from injecting malicious code into your application.
- Implement proper access controls: Limit the permissions and privileges of users and processes to only what is necessary for them to function properly. This can help prevent attackers from gaining elevated privileges and executing arbitrary code.
- Use a web application firewall (WAF): Implement a WAF to help block common attack patterns and prevent malicious code from being executed.
- Use safe coding practices: Follow secure coding practices, such as using secure coding libraries, avoiding the use of dangerous functions, and minimizing the use of eval() and other dynamic code execution functions.
By following these steps, you can help prevent RCE vulnerabilities and keep your applications secure. It’s important to regularly review and update your security measures to stay ahead of evolving threats.
Link to read full write up: here
Save the pdf here
