Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Unexpected input validation of octal literals in nodejs v15.12.0 and below returns defined values for all undefined octal literals.

Critical
N
Node.js
Submitted None
Actions:
View on HackerOne
Reported by sickcodes

Vulnerability Details

Technical details and impact analysis

Use of Inherently Dangerous Function
**Summary:** Unexpected input validation of octal literals in the nodejs implementation of V8 JavaScript engine V8 9.0.257.13 and below returns defined values for all undefined octal literals where otherwise should return undefined. Input data 08, 09... 078, 079 should return undefined, as evinced by 0o8, 0o9 etc. This affects ALL downstream nodejs software. An attacker could abuse a myriad of downstream software that relies on nodejs, for example any of the 1,570,041 npm packages that expect an undefined response for `eval(08)`;. One such example is netmask npm package: the package is unable to evaluate any octal literal containing an 8 or a 9 leading to SSRF, LFI, RFI. **Description:** Downstream direct references: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Bad_octal https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/ CVSS Pending https://sick.codes/sick-2021-011 CVSS 9.8 Critical https://nvd.nist.gov/vuln/detail/CVE-2020-28360 ## Steps To Reproduce: nodejs, as well as Chrome Console: ```js console.log(04); console.log(05); console.log(06); console.log(07); console.log(08); console.log(09); console.log(010); console.log(0o4); console.log(0o5); console.log(0o6); console.log(0o7); console.log(0o8); console.log(0o9); ``` ```bash STATEMENT=' console.log(04); console.log(05); console.log(06); console.log(07); console.log(08); console.log(09); console.log(010); ' node <<EOF ${STATEMENT} EOF coffee <<EOF ${STATEMENT} EOF ts-node <<EOF ${STATEMENT} EOF ``` node (V8) returns: ``` 4 5 6 7 8 9 8 ``` However, it should absolutely be: ``` 4 5 6 7 undef undef 8 ``` ## expected results ```bash STATEMENT=' console.log(0o4); console.log(0o5); console.log(0o6); console.log(0o7); console.log(0o8); console.log(0o9); console.log(0o10); ' node <<EOF ${STATEMENT} EOF coffee <<EOF ${STATEMENT} EOF ts-node <<EOF ${STATEMENT} EOF ``` Every other JS runtime evaluates defined as undefined. CWE-20: Improper Input Validation VERSION Google Chrome 90.0.4430.40 (Official Build) unknown (64-bit) Revision 13a486ce2d7548247f6314bbccf47e47773938f6-refs/branch-heads/4430@{#715} OS Linux JavaScript V8 9.0.257.13 User Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.40 Safari/537.36 Command Line ./chrome --flag-switches-begin --flag-switches-end REPRODUCTION CASE ```bash STATEMENT=' console.log(04); console.log(05); console.log(06); console.log(07); console.log(08); console.log(09); console.log(010); ' node <<EOF ${STATEMENT} EOF coffee <<EOF ${STATEMENT} EOF ts-node <<EOF ${STATEMENT} EOF ``` FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION ``` console.log(04); console.log(05); console.log(06); console.log(07); console.log(08); console.log(09); console.log(010); console.log(0o4); console.log(0o5); console.log(0o6); console.log(0o7); console.log(0o8); console.log(0o9); console.log(0o10); VM78:12 Uncaught SyntaxError: Invalid or unexpected token console.log(04); console.log(05); console.log(06); console.log(07); console.log(08); console.log(09); console.log(010); console.log(0o4); console.log(0o5); console.log(0o6); console.log(0o7); VM111:1 4 VM111:2 5 VM111:3 6 VM111:4 7 VM111:5 8 VM111:6 9 VM111:7 8 VM111:8 4 VM111:9 5 VM111:10 6 VM111:11 7 ``` ## Impact: [add why this issue matters] SSRF, RFI, LFI in absolutely any downstream package that relies on octal literal IP address translation. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Bad_octal ## Supporting Material/References: This bug I previously submitted to Chromium V8 (yesterday) which was rejected as "per spec" However, this does not account for the fact that this is extremely dangerous for nodejs webapps, if not all nodejs web applications. Mozilla interprets ECMA-262 octal literals containing 8 or 9 as not legal. ``` 08 is not a legal ECMA-262 octal constant. 09 is not a legal ECMA-262 octal constant. ``` The spec: https://tc39.es/ecma262/#sec-additional-syntax-numeric-literals ## Impact As per Chromium's response as well as our own research, random deviations in octal literal is catastrophic. The issue highly affects parseInt. It should return undefined for truly undefined results. ```console > parseInt(08); 8 > parseInt(0177); 127 > parseInt(012); 10 > parseInt(0000127); 87 > ```

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2020-28360 UNKNOWN

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially …

Report Details

Additional information and metadata

State

Closed

Substate

Not-Applicable

Submitted

Weakness

Use of Inherently Dangerous Function