In addition to regular vulnerability data research, the Sonatype Security Research Team also contributes to the open-source community by going the extra mile when we discover flaws that were previously not reported. Recall, earlier this year when our team had discovered they could bypass a fix made to the SheetJS project. We took immediate steps to collaborate with the project developers, responsibly disclosing the details of the bypass, and working with them on rolling out a new fix. Consequently, we helped protect our customers by incorporating this newly discovered information into our data.
Fast-forward to recent presentations at DefCon which highlighted various vulnerabilities… Because DefCon is such a widely recognized event, the Security Research Team revisited the data of vulnerabilities mentioned there since they were likely to get renewed attention. One such vulnerability we examined was CVE-2019-19507 from “Discovering Hidden Properties to Attack Node.js ecosystem”. Like with SheetJS, we discovered that the vulnerability could still be exploited with the existing fix in place.
Json Pattern Validator (JPV) is an open-source JSON schema validator which makes it easy to compare a given JSON object against a schema or particular pattern. A typical use-case for such a package would be to validate that incoming JSON is in an expected format. CVE-2019-19507 allows for an attacker to validate objects as arrays, by setting that object’s `constructor.name` to be ‘Array’. To fix this problem, JPV was updated to simply check to make sure that the constructors matched.
While updating our data for this CVE, Security Researcher Garrett Calpouzos discovered a way to iterate on this attack. By setting the nefarious object’s constructor to be `.constructor`, an attacker could once again successfully masquerade an object as an array and falsely get the JSON data validated by JPV.
PoC of (Read more…)