漏洞平台

POC详情： 77390840f9a5f7d2ca4730c0c6d5a0c540e09021

来源

https://github.com/uriyahav/tough-cookie-2.5.0-cve-2023-26136-fix

关联漏洞

标题： tough-cookie 安全漏洞 (CVE-2023-26136)
描述：tough-cookie是Salesforce开源的一个库。 tough-cookie 4.1.3之前版本存在安全漏洞，该漏洞源于在rejectPublicSuffixes=false模式下使用CookieJar时对Cookie的处理不当，可能导致原型污染漏洞。

描述

ecurity patch for CVE-2023-26136 in tough-cookie 2.5.0 - Prototype pollution vulnerability fix with backward compatibility

介绍

# CVE-2023-26136 Fix for tough-cookie 2.5.0

## Mission Overview

This project addresses **CVE-2023-26136**, a critical prototype pollution vulnerability in `tough-cookie` versions before 4.1.3. The vulnerability affects Penguin Software Inc.'s web application, which uses `tough-cookie@2.5.0` for cookie processing.

## Vulnerability Description

**CVE-2023-26136** is a prototype pollution vulnerability that occurs when `CookieJar` is used with `rejectPublicSuffixes=false`. The issue arises from improper object initialization in the `MemoryCookieStore` class, allowing attackers to inject properties into the `Object.prototype` through maliciously crafted cookie domains.

### Technical Details

The vulnerability exists in `lib/memstore.js` where cookies are stored using plain JavaScript objects (`{}`). Since these objects inherit from `Object.prototype`, attackers can exploit this by setting cookies with domains like `__proto__`, `constructor`, or `prototype`, leading to prototype pollution.

## Solution

### Patch Implementation

The fix replaces all instances of `{}` with `Object.create(null)` in the `MemoryCookieStore` class:

```javascript
// Before (vulnerable)
this.idx = {};

// After (fixed)
this.idx = Object.create(null);
```

This change prevents prototype pollution by creating objects with no prototype chain, effectively isolating cookie storage from unintended inheritance.

### Files Modified

- `lib/memstore.js`: Updated object initialization to use `Object.create(null)`

## Project Structure

```
├── README.md                    # This file
├── changes.diff                 # Git-compatible diff file
├── test-cve-2023-26136.js      # Unit test for the fix
├── tough-cookie/
│   ├── index.js                 # Exploit demonstration
│   ├── Original v2.5.0/         # Original vulnerable version
│   ├── v2.5.0-PATCHED/          # Patched version
│   │   └── tough-cookie-2.5.0.tgz  # Packed version
│   └── package.json
└── mission.txt                  # Original mission requirements
```

## Installation and Testing

### 1. Packed Version (.tgz)

The patched version is available as `tough-cookie/v2.5.0-PATCHED/tough-cookie-2.5.0.tgz`.

To install:
```bash
npm install ./tough-cookie/v2.5.0-PATCHED/tough-cookie-2.5.0.tgz
```

### 2. Test Suite Execution

The original tough-cookie test suite should pass. To run tests:

```bash
cd tough-cookie/v2.5.0-PATCHED
npm install
npm test
```

**Note**: The original tough-cookie 2.5.0 doesn't include a test directory in this distribution, but the patched version maintains full compatibility with the original API.

### 3. Unit Test for Vulnerability Fix

Run the custom unit test to verify the fix:

```bash
node test-cve-2023-26136.js
```

Expected output:
```
Testing CVE-2023-26136 fix...
✅ CVE-2023-26136 fix verified: No prototype pollution detected
✅ Test passed: The vulnerability has been successfully patched
```

### 4. Exploit Demonstration

The project includes an exploit demonstration in `tough-cookie/index.js`:

```bash
cd tough-cookie
node index.js
```

This will test both the original vulnerable version and the patched version, showing:
- `EXPLOITED SUCCESSFULLY` for the original version
- `EXPLOIT FAILED` for the patched version

## Changes Documentation

### changes.diff

The `changes.diff` file contains a git-compatible diff that can be applied using:

```bash
git apply changes.diff
```

This diff includes only the necessary changes to fix the vulnerability without any unintended modifications.

## Exploit Details

The exploit works by:

1. Creating a `CookieJar` with `rejectPublicSuffixes: false`
2. Setting a malicious cookie with domain `__proto__`
3. This pollutes the `Object.prototype` chain
4. New objects inherit the polluted properties

**Potential Damage:**
- Application behavior manipulation
- Security bypasses
- Denial of service
- Data corruption

## Node.js Compatibility

✅ Tested and verified on **Node.js 20 (LTS)**

## Repository Information

**GitHub Repository**: [Forked tough-cookie repository](https://github.com/your-username/tough-cookie-2.5.0-patched)

**Git Tag**: `v2.5.0-patched-cve-2023-26136-fix`

## CI/CD Experience

### Continuous Integration Tools Used:

1. **GitHub Actions** - Expert level
   - Automated testing and deployment
   - Security scanning and dependency management
   - Multi-platform testing

2. **Jenkins** - Advanced level
   - Pipeline development and maintenance
   - Docker containerization
   - Integration with various tools

3. **Travis CI** - Intermediate level
   - Build automation
   - Test execution
   - Deployment workflows

4. **CircleCI** - Intermediate level
   - CI/CD pipeline configuration
   - Docker support
   - Parallel job execution

5. **GitLab CI/CD** - Advanced level
   - Pipeline development
   - Kubernetes deployment
   - Security scanning integration

### Additional Tools:
- **Docker** - Expert level (containerization and orchestration)
- **Kubernetes** - Advanced level (deployment and scaling)
- **SonarQube** - Intermediate level (code quality analysis)
- **Snyk** - Intermediate level (security vulnerability scanning)

## References

- [CVE-2023-26136 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-26136)
- [tough-cookie GitHub Repository](https://github.com/salesforce/tough-cookie)
- [Prototype Pollution Security Guide](https://owasp.org/www-community/attacks/Prototype_pollution)

## License

This project maintains the original tough-cookie license (BSD-3-Clause) while adding the security fix.

---

**Note**: This is a security-focused patch that maintains full backward compatibility while eliminating the CVE-2023-26136 vulnerability.

文件快照


 [4.0K]  /data/pocs/77390840f9a5f7d2ca4730c0c6d5a0c540e09021
├── [1.3K]  changes.diff
├── [ 703]  patch_diff.txt
├── [5.6K]  README.md
├── [2.5K]  test-cve-2023-26136.js
└── [4.0K]  tough-cookie
    ├── [3.3K]  index.js
    ├── [4.0K]  Original v2.5.0
    │   ├── [4.0K]  lib
    │   │   ├── [ 40K]  cookie.js
    │   │   ├── [5.7K]  memstore.js
    │   │   ├── [2.4K]  pathMatch.js
    │   │   ├── [2.2K]  permuteDomain.js
    │   │   ├── [1.7K]  pubsuffix-psl.js
    │   │   ├── [2.9K]  store.js
    │   │   └── [  52]  version.js
    │   ├── [1.5K]  LICENSE
    │   ├── [1.7K]  package.json
    │   └── [ 27K]  README.md
    ├── [   3]  package.json
    ├── [  91]  package-lock.json
    └── [4.0K]  v2.5.0-PATCHED
        ├── [4.0K]  lib
        │   ├── [ 40K]  cookie.js
        │   ├── [6.0K]  memstore.js
        │   ├── [2.4K]  pathMatch.js
        │   ├── [2.2K]  permuteDomain.js
        │   ├── [1.7K]  pubsuffix-psl.js
        │   ├── [2.9K]  store.js
        │   └── [  52]  version.js
        ├── [1.5K]  LICENSE
        ├── [1.7K]  package.json
        ├── [ 98K]  package-lock.json
        ├── [ 27K]  README.md
        └── [ 25K]  tough-cookie-2.5.0.tgz

5 directories, 29 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。