Connect with us
Categories:
X

Technology

Prototype pollution project produces another Parse Server RCE

Published

on

Prototype pollution project produces another Parse Server RCE
Share this post:

A prototype pollution vulnerability that could lead to remote code execution (RCE) in Parse Server has been patched.

An attacker could potentially trigger RCE through the MongoDB BSON [Binary JSON] parser by leveraging the flaw (CVE-2022-39396), according to a GitHub security advisory published on November 8.

Parse Server is a popular, open source API server module for Node.js that provides push notification functionality for iOS, macOS, Android, and tvOS.

Although the security researchers involved are withholding technical details to give developers time to apply patches, so the detail remains unclear, we know the bug is comparable to another prototype pollution-to-RCE issue they disclosed earlier in the year. That vulnerability – which surfaced in March 2022 – was given the highest possible severity rating of CVSS 10.

Patch now

“I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication,” Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig. “So my advice is to patch Parse Server ASAP, if you have it.”

The flaw has been patched in the NPM parse-server package in versions 4.10.18 and 5.3.1.

The patches prevent prototype pollution in the MongoDB database adapter. If updates cannot be applied immediately, then users can protect themselves in the meantime by disabling RCE through the MongoDB BSON parser.

‘Complex task’

The flaw was discovered during a research project undertaken by Shcherbakov, KTH colleague Musard Balliu, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany.

The trio investigated how prototype pollution vulnerabilities in Node.js systems might lead to RCE attacks.

“The detection of prototype pollution is a complex task,” said Shcherbakov. “However, the exploitation that demonstrates a high impact of vulnerabilities is more complicated in practice but still possible.”

The researchers have presented their findings, which also feature Node.js targets NPM CLI and Rocket.Chat, in a white paper (PDF). They are due to present their research at the USENIX Security ’23 conference.

Universal gadgets

Prototype pollution, which affects Node.js and prototype-based languages like JavaScript, involves injecting “properties into an object’s root prototype at runtime [to] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype,” explains the presentation precis.

The researchers set out to find “end-to-end exploits beyond DoS in full-fledged Node.js applications”, and “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets”.

Technical details for the Parse Server RCE will eventually be disclosed via the Trend Micro Zero Day Initiative (ZDI) blog.

Other significant security bugs addressed in Parse Server this year include an issue that enabled brute-force guessing of sensitive user data, and a high severity authentication bypass impacting Apple Game Center.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment

Cryptocurrency
Technology12 hours ago

Meaning and Uses for Tether Crypto Explained

Bitcoin Cryptocurrency
Technology4 weeks ago

Have A Brief Idea About Bitcoin Mining And Its Operation

Mark Your Calendars For These 4 Premier Sporting Events Of 2023
Sports1 month ago

Mark Your Calendars For These 4 Premier Sporting Events Of 2023

How To Safeguard Your Crypto Wallet?
Technology2 months ago

How To Safeguard Your Crypto Wallet?

Angry youths chase Elumelu away as they disrupt PDP campaign in Delta
News2 months ago

Angry youths chase Elumelu away as they disrupt PDP campaign in Delta

Lai Mohammed
News2 months ago

FG recovers over N120bn from proceeds of crime – Lai Mohammed

News2 months ago

Tinubu says Peter Obi, Atiku lack track record to be president

Atiku Abubakar
News2 months ago

Plateau PDP set to receive Atiku

Peter Obi praises Gov Uzodimma’s leadership style
News2 months ago

Peter Obi praises Gov Uzodimma’s leadership style

Entertainment2 months ago

‘Free Mind’ by Tems enters 20th week on Billboard Hot 100

Kizz Daniel
Entertainment2 months ago

Buga by Kizz Daniel is the most searched song in Nigeria in 2022

News2 months ago

NJC Reinstates Justice Ofili-Ajumogobia As Judge Of Federal High Court

Man sentenced to 21 years in prison for stealing Lady Gaga's dogs
Entertainment2 months ago

Man sentenced to 21 years in prison for stealing Lady Gaga’s dogs

NNPC Ltd to disclose new asset base – Kyari
News2 months ago

Nigeria Records ₦‎16 Trillion Worth Of Crude Oil In 9 Months

Entertainment2 months ago

Broda Shaggi begs African fathers to hug their children

News2 months ago

Chatham House: APC slams Dele Momodu over comment on Tinubu

News2 months ago

Samuel Eto’o Apologises After Physically Attacking YouTuber

News2 months ago

N-Power Fraud: D’banj Arrested & Detained – ICPC Confirms, Releases Statement

News2 months ago

FG: Second Niger Bridge will open to traffic Dec 15

News2 months ago

2023 Polls Won’t Mar Nigeria – Sultan, CAN, SGF

Education2 months ago

ASUU Strike: CONUA threatens to sue FG over withheld salaries

Sports2 months ago

Eden Hazard announce retirement from international football

News2 months ago

2023: APC Has Failed Northerners, Muslim-Muslim Ticket Won’t Work – Shagari

News2 months ago

Teleprompters In Sight As Tinubu Spoke At Chatham House – Jaafar Shares Photo

Buhari
News2 months ago

2023: No manipulations of any form will be allowed, Buhari vows

News2 months ago

Kano Hisbah to destroy 18,000 bottles of beer

Entertainment2 months ago

Emancipation: Will Smith pulls you in with gritty realities of slavery era[Review]

Will Smith hopes ‘brutal’ depictions of slavery in Emancipation are ‘not in vain’, as he attends premiere in London
Entertainment2 months ago

I became more alive by facing my pain – Will Smith

Luis Enrique
Sports2 months ago

Spain manager full of praise for his players despite shock Morocco loss

Goncalo Ramos
Sports2 months ago

Goncalo Ramos reacts after taking Cristiano Ronaldo’s place in Portugal team

Frank Leboeuf
Sports2 months ago

Frank Leboeuf aims bizarre dig at Kieran Trippier

Sports2 months ago

Can the Three Lions outsmart France’s unstoppable star player?

Horoscope2 months ago

Your daily horoscope for Wednesday, December 7, 2022

Sports2 months ago

FIFA World Cup 2022: Goncalo Ramos nets first hat-trick of 2022 FIFA World Cup as Portugal trash Switzerland

Sports2 months ago

FIFA World Cup 2022: Yassine Bono the hero as Morocco knocks Spain out of World Cup

Godwin Emefiele
News2 months ago

CBN Drops ATM Withdrawal Limit To ₦‎20k/Day

TikTok logo
News2 months ago

‘TikTok Challenge’ Circulates Info-Stealing Malware – NCC

DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022
Movie Subtitle2 months ago

DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022

The vast network of antennas will form the world’s largest radio telescope
Technology2 months ago

The largest radio telescope in the world’s construction gets underway

News2 months ago

FG releases new curriculum for universities in Nigeria

ANE Billboard Hots