A critical prototype pollution vulnerability in Blitz.js, a JavaScript online application framework, has been patched to prevent remote code execution (RCE) on Node.js servers.

A specific kind of JavaScript flaw known as prototype pollution enables attackers to manipulate an application’s behaviour and hack it in a number of different ways.

Researchers at Sonar found the new problem, which allowed attackers to alter the Blitz.js app’s code to build a reverse shell and issue arbitrary server commands.

Prototype vulnerability in dependencies

According to Paul Gerste, a vulnerability researcher at Sonar, “Blitz.js is an emerging JS framework that gained attention on GitHub.” “We chose it to analyse real-world vulnerabilities and assist in securing its code base.”

Blitz is a full-stack web development platform that is based on Next.js, a React-based framework, and adds components to it.

One of Blitz.js’s touted strengths is its “Zero-API” layer, which enables clients to use straightforward functions to call server-side business logic without having to create API code.

In the background, Blitz.js makes an RPC call to the server and returns the result to the client function call.

“Among other features, Blitz.js extends Next.js with an RPC layer that deserializes data from incoming requests using superjson. Superjson is completely vulnerable, according to Gerste.

Superjson is a JSON variant that supports circular dependencies, dates, and regexes. The prototype vulnerability resulted from the circular dependence feature, which permits JSON specifications to refer to property names. These property names could be used by an attacker to alter the server’s running code.

RCE on Blitz servers

Gerste identified a series of vulnerabilities that might be exploited to cause RCE through the prototype pollution vulnerability.

First, a contaminated JSON request is made to the server, which causes Blitz.js’s routing system to load a JavaScript file containing the contaminated prototype. This enables the attacker to run arbitrary code via the malicious JavaScript object.

An attacker should ideally create and execute a file on the server. But upload functionality is not supported by Blitz.js. It does, however, provide a CLI wrapper script that launches a new process using JavaScript’s spawn () method.

This function could be used by the attacker to start a CLI process and issue any command to the server.

CLI process

Due to the fact that this vulnerability may be exploited without any authentication, anyone with access to the Blitz.js application will be able to conduct RCE attacks.

According to Gerste, an attacker would have the same degree of authority as the susceptible programme. Therefore, the attacker would also have root privileges if the application is running as root.

Complicated bug

Model pollution bugs frequently behave in quite convoluted ways. For instance, the CLI wrapper object in the case of Blitz.js was not inherently susceptible but could be exploited by the prototype pollution flaw.

According to Gerste, “This attack technique utilises a coding pattern which is not a vulnerability in itself.” “Prototype pollution can have a very invasive impact on the target application, and eliminating every code that could be impacted by prototype pollution would take a lot of work.”

Gerste provides some general advice in his bug report on how to protect JavaScript apps against prototype pollution, such as freezing Object.prototype or using the —disable-proto=delete flag in Node.js.

Many JavaScript developers, in my opinion, are still unaware of prototype pollution, Gerste remarked. “I don’t frequently observe developers using the patterns we suggested in our essay. We aim to share this information and assist in educating JavaScript developers through our blog postings.

Reference : portswigger.net/daily-swig/prototype-pollution-in-blitz-js-leads-to-remote-code-execution?&web_view=true