GHSA-MPCW-3J5P-P99X

Vulnerability from github – Published: 2024-10-24 18:27 – Updated: 2024-10-24 18:27
VLAI
Summary
Butterfly's parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)
Details

Summary

Usage of the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.

Since Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.

Details

The parseJSON function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling eval, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.

However, the regex is imperfect, as was discovered earlier by Mike Samuel; specifically, the "cleaner" can be tricked into treating part of the input as a string that the "evaluator" does not, because of a difference in interpretation regarding the the Unicode zero-width joiner character. Representing that character with a visible symbol, a malicious input looks like:

"\�\", Packages.java.lang.Runtime.getRuntime().exec('gnome-calculator')) // "

This is understood...

  • by JSON_cleaning_RE as a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds to eval.
  • by the eval function, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.

The function call is evaluated, and a calculator is opened.

Possible mitigations and additional defenses could include:

  • Replacing the JSON implementation with Rhino's built-in implementation.
  • Dropping all JSON-related and JSONP-related code entirely.
  • Restricting the access the JavaScript controller code has to the rest of the system by using initSafeStandardObjects instead of initStandardObjects, using setClassShutter, and so on.

PoC

Change OpenRefine core controller.js to add a call to the vulnerable getJSON function:

diff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js
index 4ceba0676..1ce0936d2 100644
--- a/main/webapp/modules/core/MOD-INF/controller.js
+++ b/main/webapp/modules/core/MOD-INF/controller.js
@@ -631,0 +632,5 @@ function process(path, request, response) {
+    if (path == "getjsontest") {
+      butterfly.getJSON(request);
+      return true;
+    }
+

Then, restart OpenRefine and submit the malicious request. For example, the following bash command (with $' quoting) should do it:

curl -H 'Content-Type: application/json;charset=utf-8' --data $'"\\\u200d\\", Packages.java.lang.Runtime.getRuntime().exec(\'gnome-calculator\')) // "' http://localhost:3333/getjsontest

Impact

Any JavaScript controller that calls one of these functions is vulnerable to remote code execution.

OpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openrefine.dependencies:butterfly"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T18:27:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nUsage of the `Butterfly.prototype.parseJSON` or `getJSON` functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.\n\nSince Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.\n\n### Details\n\nThe `parseJSON` function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling `eval`, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.\n\nHowever, the regex is imperfect, as was [discovered earlier by Mike Samuel](https://dev.to/mikesamuel/2008-silently-securing-jsonparse-5cbb); specifically, the \"cleaner\" can be tricked into treating part of the input as a string that the \"evaluator\" does not, because of a difference in interpretation regarding the [the Unicode zero-width joiner character](https://unicode-explorer.com/c/200D). Representing that character with a visible symbol, a malicious input looks like:\n\n```js\n\"\\\ufffd\\\", Packages.java.lang.Runtime.getRuntime().exec(\u0027gnome-calculator\u0027)) // \"\n```\n\nThis is understood...\n\n* by `JSON_cleaning_RE` as a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds to `eval`.\n* by the `eval` function, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.\n \nThe function call is evaluated, and a calculator is opened.\n\nPossible mitigations and additional defenses could include:\n\n* Replacing the JSON implementation with Rhino\u0027s built-in implementation.\n* Dropping all JSON-related and JSONP-related code entirely.\n* Restricting the access the JavaScript controller code has to the rest of the system by using `initSafeStandardObjects` instead of `initStandardObjects`, using `setClassShutter`, and so on.\n\n### PoC\n\nChange OpenRefine `core` `controller.js` to add a call to the vulnerable `getJSON` function:\n\n```diff\ndiff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js\nindex 4ceba0676..1ce0936d2 100644\n--- a/main/webapp/modules/core/MOD-INF/controller.js\n+++ b/main/webapp/modules/core/MOD-INF/controller.js\n@@ -631,0 +632,5 @@ function process(path, request, response) {\n+    if (path == \"getjsontest\") {\n+      butterfly.getJSON(request);\n+      return true;\n+    }\n+\n```\n\nThen, restart OpenRefine and submit the malicious request. For example, the following `bash` command (with $\u0027 quoting) should do it:\n\n```\ncurl -H \u0027Content-Type: application/json;charset=utf-8\u0027 --data $\u0027\"\\\\\\u200d\\\\\", Packages.java.lang.Runtime.getRuntime().exec(\\\u0027gnome-calculator\\\u0027)) // \"\u0027 http://localhost:3333/getjsontest\n```\n\n### Impact\n\nAny JavaScript controller that calls one of these functions is vulnerable to remote code execution.\n\nOpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.",
  "id": "GHSA-mpcw-3j5p-p99x",
  "modified": "2024-10-24T18:27:50Z",
  "published": "2024-10-24T18:27:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-mpcw-3j5p-p99x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/simile-butterfly/commit/2ad1fa4cd8afe3c920c8e6e04fe7a7df5cf8294e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenRefine/simile-butterfly"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Butterfly\u0027s parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…