‘Not a prototype pollution vulnerability as you might normally understand it’
NodeBB, a Node.js platform for creating forum applications, has patched a prototype pollution vulnerability that could allow attackers to impersonate other users and take over administrator accounts.
However, NodeBB developers had used an object definition that could allow attackers to misuse Socket.IO’s objects. The maintainers of NodeBB told The Daily Swig that they have released only limited information about the bug to give developers some time to update their applications.
However, Barış Uşaklı, one of those maintainers, did confirm that “the issue has a big impact since it allows an attacker to impersonate other users or make Socket.IO calls as an administrator”.
On a default NodeBB installation, the vulnerability could allow an unauthenticated user to obtain admin access to the application. If the instance had enabled plugins with additional checks, such as two-factor authentication, then the impact would be more limited and require authenticated access to the application.
Uşaklı said there is no evidence that the bug has been exploited in the wild. The maintainers patched the issue on the same day it was reported and on their hosted clients the next day.
Not your average prototype pollution bug
However, the NodeBB bug differs from typical flaws in this bug class.
“This is not a prototype pollution vulnerability as you might normally understand it,” Stephen Bradshaw, the security researcher who discovered and reported the bug, told The Daily Swig.
“In this case, access to the prototype of an object that was responsible for whitelisting functions run through the Socket.IO interface could be abused to modify the application’s environment in such a way that elevation of privileges was possible.”
Per agreement with NodeBB maintainers, Bradshaw has delayed publication of his write-up and full exploitation details until January.
Be careful how you declare your objects
The patch for the bug was a simple one-line modification that changed the method used to declare one of the objects.
The silver lining is that patching NodeBB instances is fairly easy. In case developers can’t upgrade their applications to the latest version, they can cherry-pick the patch commit and just receive the security fix.
Bradshaw said that it’s important for security assessors and developers to “understand ‘weird’ features of the programming language” when coding and reviewing an application.