POC详情: 8284b5c8656685423e2ffa8ca07e3d24b7b21216

来源
关联漏洞
标题: tough-cookie 安全漏洞 (CVE-2023-26136)
描述:tough-cookie是Salesforce开源的一个库。 tough-cookie 4.1.3之前版本存在安全漏洞,该漏洞源于在rejectPublicSuffixes=false模式下使用CookieJar时对Cookie的处理不当,可能导致原型污染漏洞。
描述
This repository contains a solution for the CVE-2023-26136 vulnerability.
介绍
## Research on the vulnerability CVE-2023-26136

### Description

Versions of the package `tough-cookie` before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of cookies when using `CookieJar` in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which objects are initialized.


### Objective and Fix
This project aims to provide a patched version of `tough-cookie@2.5.0` that eliminates the `CVE-2023-26136` vulnerability while ensuring backward compatibility.

To fix the vulnerability, we modified memstore.js to ensure that cookies are stored in an object without prototype pollution risks by replacing standard object initialization with Object.create(null). This prevents prototype manipulation through maliciously crafted cookie names.


### Structure

In the tough-cookie/ directory, we can find two additional directories containing the original and patched versions of tough-cookie:

1. **Original version (`v2.5.0/`)** – Unmodified `tough-cookie` 2.5.0, which is vulnerable.
2. **Patched version (`v2.5.0-PATCHED/`)** – A modified version that includes a fix for `CVE-2023-26136`.

### Installation

To install the original vulnerable version:
```sh
npm install tough-cookie@2.5.0
```

### Patch Details

The applied patch changes the way cookies are stored: `this.idx = {};` 
was changed to: `this.idx = Object.create(null);`

This prevents attackers from injecting properties into the prototype chain and exploiting the vulnerability.

The vulnerability in tough-cookie (CVE-2023-26136) arises due to the use of a plain JavaScript object {} to store cookies. Since {} inherits from Object.prototype, it can be exploited by injecting properties like __proto__, leading to prototype pollution. This could allow an attacker to manipulate application behavior or cause security issues.

To mitigate this, the patch replaces {} with Object.create(null), which creates an object with no prototype ([[Prototype]]: null). This ensures that the object does not inherit any properties from Object.prototype, preventing attackers from injecting malicious properties.

By using Object.create(null), we effectively isolate the cookie store from unintended prototype inheritance, making it safer against prototype pollution attacks.


### Installation Guide and Patch Instructions

To install the patched version locally, follow these steps:

1. **Extract the patched package (optional for verification):**

`tar -tzf tough-cookie-2.5.0.tgz`

If needed, extract it:

`tar -xzf tough-cookie-2.5.0.tgz`

2. **Install the patched package:**

`npm install ./tough-cookie-2.5.0.tgz`

3. **Verify the fix:**
Run the test script:

`node index.js`

Expected output:

`EXPLOITED SUCCESSFULLY` - for the original version

`EXPLOIT FAILED` - for the patched version


### Node.js Compatibility

The patched version has been tested on Node.js 20 (LTS) to ensure compatibility with the latest stable runtime environment.


### Repository and Fork

The original `tough-cookie` repository (Salesforce) is currently at version 5.1.1. Since we are working with version 2.5.0, a direct fork from the main repository isn't possible. Instead, we created a separate repository containing both the original and patched versions. You can find it here:

GitHub Repository - Forked Version


### CI/CD
- No CI/CD tools were used in this research.
- Familiar with Docker (basic level).


### Reference

For more details, visit the official CVE page: [CVE-2023-26136 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-26136)

文件快照

[4.0K] /data/pocs/8284b5c8656685423e2ffa8ca07e3d24b7b21216 ├── [ 703] patch_diff.txt ├── [3.5K] README.md └── [4.0K] tough-cookie ├── [3.3K] index.js ├── [4.0K] node_modules ├── [4.0K] Original v2.5.0 │   ├── [4.0K] lib │   │   ├── [ 40K] cookie.js │   │   ├── [5.7K] memstore.js │   │   ├── [2.4K] pathMatch.js │   │   ├── [2.2K] permuteDomain.js │   │   ├── [1.7K] pubsuffix-psl.js │   │   ├── [2.9K] store.js │   │   └── [ 52] version.js │   ├── [1.5K] LICENSE │   ├── [1.7K] package.json │   └── [ 27K] README.md ├── [ 3] package.json ├── [ 91] package-lock.json └── [4.0K] v2.5.0-PATCHED ├── [4.0K] lib │   ├── [ 40K] cookie.js │   ├── [6.0K] memstore.js │   ├── [2.4K] pathMatch.js │   ├── [2.2K] permuteDomain.js │   ├── [1.7K] pubsuffix-psl.js │   ├── [2.9K] store.js │   └── [ 52] version.js ├── [1.5K] LICENSE ├── [1.7K] package.json ├── [ 27K] README.md └── [ 25K] tough-cookie-2.5.0.tgz 6 directories, 26 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。