Node.js Detected with Vulnerability encountered by Captain Freak

Node.js is a cross-platform, open-source, JavaScript back-end operating environment running on Chrome V8 and running JavaScript programming from outside a Web browser. Recently a vulnerability in Node.js could have been used to exploit the framework and achieve remote code execution (RCE).
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 12 cores and 24 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED ... read more
(as of February 28, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
AMD's fastest 6 core processor for mainstream desktop, with 12 processing threads Can deliver elite 100+ FPS performance in the world's most popular games Bundled with the quiet, capable AMD Wraith Stealth cooler 4.6 GHz Max Boost, unlocked for overc... read more
(as of February 28, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
System ram type: DDR4_sdram
(as of February 28, 2021 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
A report published on January 23, by Shoeb ‘Captain Freak’ Patel a self-described ‘want to be’ security researcher, says that the analysis indicates that Express.js might be prone to read local file errors. In conjunction with an old version of the Handlebars engine (Handlebars is a popular templating engine for web applications.), the malicious code may be run remotely. “If you are using Express.Js with Handlebars as templating engine invoked via hubs view engine, for Server Side Rendering, you are likely vulnerable to Local File Read (LFR) and potential Remote Code Execution (RCE),” stated Captain Freak.
Further Captain Freak has claimed that because of his experience with the developer’s code he wanted to search for flaws in Node.js, Express.js, and Handlebars. He said that he “stumbled” last week over a vital local security file that demanded a payload of fewer than 10 lines of code for the RCE exploit, and “To be honest, I should not have been that surprised.”
“The betrayal by in-built modules, dependencies, and packages have been the reason to introduce numerous security bugs. This is a recurring theme in software security,” added Captain Freak.
He elucidated that if the target user is responding with X-Powered-By: Express and there is HTML in responses, it’s highly likely that Node.js with server-side templating is being used. For which the user can attach a layout to the discovery for the GET or POST body parameter in their wordlist. If the arbitrary value of layout parameter added is resulting in 500 Internal Server Error with ENOENT: no such file or directory in body, then the user has hit the LFR.
The treason of built-in modules, dependencies, and applications has contributed to various security vulnerabilities. In software safety, this is still a recurrent issue. Captain Freak created a CTF challenge to verify whether or not this was understood, and he shared it with several of his talented friends from different Network security, Node, Backend Tech, CTF, and Bug Bounty internet forums.
Later this turned out to be a not known vulnerability, only 4 people (all CTFers) were able to solve this problem even after providing the whole source code. Captain Freak discovered, strange code at Node.js, that any file with an extension could be read from the root view directory, + layout and forwarded to handlebars; Compilation of which lets us use the HTML file that we fully monitor after compiling the file. RCE will then be triggered with particular specifications, requiring the use of versions 4.0.3 and below. This issue has been patched in Handlebars versions 4.1.2, 4.0.14, and later.
“I wrote about it so that the whole Node.js and web development community [would] know about this quirky behavior in this stack,” stated Captain Freak.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.