Researchers at Johns Hopkins University recently discovered a startling 180 zero-day vulnerabilities in thousands of Node.js libraries using a new code analysis tool they developed specifically for this purpose, called ODGen.
Seventy of these flaws have since been assigned Common Vulnerability and Exposure (CVE) identifiers. They include command injection flaws, path traversal vulnerabilities, arbitrary code execution issues, and cross-site scripting vulnerabilities, including some in widely used applications.
In a paper published at the Usenix Security Symposium earlier this month, Johns Hopkins researchers – Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao – described ODGen as a better alternative to current code analysis and software. -called graphical queries. approaches to finding Node.js vulnerabilities.
So the researchers instead developed what they described as a “new” and better method called Object Dependence Graph (ODG) which can be used to detect vulnerabilities in Node.js. They implemented ODGen to generate “ODG” for Node.js programs to detect vulnerabilities, they said.
Cao, assistant professor of computer science at Johns Hopkins University and co-author of the research report, uses some analogies to describe graph-based code analysis in general and their objective dependency graph proposal. “If we view a vulnerability as a special pattern – say, a green node connected to a red node and then to a black node – a graph-based code analysis tool first converts programs into a graph with many nodes and edges,” Cao explains. . “The tool then looks for such patterns in the graph to locate a vulnerability.”
A variety of bugs
To see if their approach works, the researchers first tested ODGen against a sample of 330 previously reported vulnerabilities in Node.js packages on the Node Package Manager (npm) repository. The test showed that the scanner correctly identified 302 out of 330 vulnerabilities. Building on the relatively high accuracy rate, the researchers ran ODGen on some 300,000 Java packages in npm. The scanner reported a total of 2,964 potential vulnerabilities in the packages. The researchers checked 264 of them – all with more than 1,000 downloads per week on average – and were able to confirm that 180 were legitimate vulnerabilities. Forty-three of these were at the application level, 122 were in packages imported by other applications or code, and the remaining 15 were present in indirect packages.
A plurality (80) of the confirmed vulnerabilities detected by ODGen were command injection streams that allow attackers to execute arbitrary code at the operating system level through a vulnerable application. Thirty were path crossing faults; 24 enabled code tampering and 19 involved a specific type of command injection attack called prototype pollution.