Abstract:Prototype pollution is a recent vulnerability that affects JavaScript code, leading to high impact attacks such as arbitrary code execution. The vulnerability is rooted in JavaScript's prototype-based inheritance, enabling attackers to inject arbitrary properties into an object's prototype at runtime. The impact of prototype pollution depends on the existence of otherwise benign pieces of code (gadgets), which inadvertently read from attacker-controlled properties to execute security-sensitive operations. While prior works primarily study gadgets in third-party libraries and client-side applications, gadgets in JavaScript runtime environments are arguably more impactful as they affect any application that executes on these runtimes.
In this paper we design, implement, and evaluate a pipeline, GHunter, to systematically detect gadgets in V8-based JavaScript runtimes with prime focus on Node.js and Deno. GHunter supports a lightweight dynamic taint analysis to automatically identify gadget candidates which we validate manually to derive proof-of-concept exploits. We implement GHunter by modifying the V8 engine and the targeted runtimes along with features for facilitating manual validation. Driven by the test suites of Node.js and Deno, we use GHunter in a study of gadgets in these runtimes. We identified a total of 56 new gadgets in Node.js and 67 gadgets in Deno, pertaining to vulnerabilities such as arbitrary code execution (19), privilege escalation (31), path traversal (13), and more. Moreover, we systematize, for the first time, existing mitigations for prototype pollution and gadgets in terms of development guidelines. We collect a list of vulnerable applications and revisit the fixes through the lens of our guidelines. Through this exercise, we identified one high-severity CVE leading to remote code execution, which was due to incorrectly fixing a gadget.
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the prototype pollution vulnerability in the JavaScript runtime environment and its related attack means. Specifically, the paper focuses on systematically detecting and analyzing "universal gadgets" in the JavaScript runtime environment based on the V8 engine (such as Node.js and Deno), which can be exploited to carry out high - impact attacks, such as arbitrary code execution, privilege escalation, etc.
### Background and Problem Description
Prototype pollution is a recently discovered security vulnerability that affects JavaScript code and may lead to high - impact attacks, such as arbitrary code execution and privilege escalation. This vulnerability stems from JavaScript's prototype inheritance mechanism, which allows attackers to inject arbitrary properties into an object's prototype at runtime. The impact of the attack depends on the existence of other seemingly harmless code fragments (called gadgets), which will inadvertently read the properties controlled by the attacker and thus perform sensitive operations.
Although previous research has mainly focused on gadgets in third - party libraries and client - side applications, gadgets in the JavaScript runtime environment are more impactful because they will affect all applications running on this runtime.
### Main Contributions of the Paper
1. **Designed and implemented a semi - automated pipeline GH UNTER** for systematically detecting universal gadgets in the JavaScript runtime on the V8 engine (especially Node.js and Deno).
2. **Conducted a comprehensive analysis** and discovered a total of 123 universal gadgets in Node.js and Deno, involving multiple vulnerabilities, including arbitrary code execution, server - side request forgery, privilege escalation, and cryptographic downgrade.
3. **Systematized the existing mitigation measures for prototype pollution and gadgets** and proposed directions for future research, including an in - depth case study leading to remote code execution (RCE).
### Technical Background
- **Prototype pollution and gadgets**: Prototype pollution occurs in prototype - based languages (such as JavaScript), where attackers modify objects at runtime by manipulating the program's prototype inheritance, causing originally harmless code sequences (gadgets) to perform dangerous operations.
- **JavaScript runtime environment**: The research mainly focuses on two popular JavaScript runtime environments, Node.js and Deno. Node.js is widely used in server application development, while Deno is known for its security.
- **Threat model**: Assuming that applications are vulnerable to prototype pollution, the goal of the research is to find exploitable universal gadgets in the JavaScript runtime to achieve the following attacks:
- Arbitrary code/command execution (ACE)
- Server - side request forgery (SSRF)
- Privilege escalation
- Cryptographic downgrade
- Path traversal
- Unauthorized modification
- Log pollution
- Denial of service (DoS)
### System Design and Implementation
GH UNTER detects gadgets through three automated steps and one manual verification step:
1. **Collect source properties**: Identify undefined properties that may be affected by prototype pollution.
2. **Identify source - to - sink flow**: Through lightweight taint analysis, detect whether the polluted property values can reach dangerous sinks.
3. **Abrupt termination**: Detect fatal crashes caused by prototype pollution, which may lead to denial - of - service attacks.
4. **Manual verification**: Manually verify the results of the previous steps and generate proof - of - concept (PoC) attacks.
Through this method, GH UNTER can systematically detect and verify universal gadgets in the JavaScript runtime environment, providing strong support for improving application security.