Prototype pollution is a recent vulnerability that affects JavaScript code, leading to high impact attacks such as arbitrary code execution. The vulnerability is rooted in JavaScript's prototype-based inheritance, enabling attackers to inject arbitrary properties into an object's prototype at runtime. The impact of prototype pollution depends on the existence of otherwise benign pieces of code (gadgets), which inadvertently read from attacker-controlled properties to execute security-sensitive operations. While prior works primarily study gadgets in third-party libraries and client-side applications, gadgets in JavaScript runtime environments are arguably more impactful as they affect any application that executes on these runtimes. In this paper we design, implement, and evaluate a pipeline, GHunter, to systematically detect gadgets in V8-based JavaScript runtimes with prime focus on Node.js and Deno. GHunter supports a lightweight dynamic taint analysis to automatically identify gadget candidates which we validate manually to derive proof-of-concept exploits. We implement GHunter by modifying the V8 engine and the targeted runtimes along with features for facilitating manual validation. Driven by the test suites of Node.js and Deno, we use GHunter in a study of gadgets in these runtimes. We identified a total of 56 new gadgets in Node.js and 67 gadgets in Deno, pertaining to vulnerabilities such as arbitrary code execution (19), privilege escalation (31), path traversal (13), and more. Moreover, we systematize, for the first time, existing mitigations for prototype pollution and gadgets in terms of development guidelines. We collect a list of vulnerable applications and revisit the fixes through the lens of our guidelines. Through this exercise, we identified one high-severity CVE leading to remote code execution, which was due to incorrectly fixing a gadget.

翻译：原型污染是近年来影响JavaScript代码的一种安全漏洞，可导致任意代码执行等高危攻击。该漏洞根植于JavaScript基于原型的继承机制，使得攻击者能够在运行时向对象原型中注入任意属性。原型污染的实际危害取决于是否存在原本无害的代码片段（小工具），这些代码会无意中读取攻击者控制的属性以执行安全敏感操作。现有研究主要关注第三方库和客户端应用中的小工具，而JavaScript运行时环境中的小工具影响范围更广，因为它们会影响所有在该运行时上执行的应用程序。本文设计、实现并评估了GHunter检测流水线，用于系统性地检测基于V8引擎的JavaScript运行时（主要针对Node.js和Deno）中的小工具。GHunter采用轻量级动态污点分析技术自动识别候选小工具，并通过人工验证构建概念验证漏洞利用程序。我们通过修改V8引擎及目标运行时环境实现了GHunter，并集成了便于人工验证的功能特性。基于Node.js和Deno的测试套件驱动，我们使用GHunter对这两个运行时中的小工具进行了系统性研究，共发现Node.js中56个新小工具及Deno中67个小工具，涉及任意代码执行（19例）、权限提升（31例）、路径遍历（13例）等多类漏洞。此外，我们首次从开发规范角度系统梳理了现有针对原型污染及小工具的缓解措施，收集了存在漏洞的应用程序清单，并依据我们的规范重新审视了相关修复方案。通过此项工作，我们发现了一个因小工具修复不当导致的高危远程代码执行漏洞（CVE）。