Arbitrary Command Execution

Affecting pullit package, versions <1.4.0

Do your applications use this vulnerable package? Test your applications

Overview

pullit is Display and pull branches from GitHub pull requests.

Affected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. pullit uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.

PoC

  • Create a branch that could potentially terminate an exec() command and concatenate to it a new command: git checkout -b ";{echo,hello,world}>/tmp/c”
  • Push it to GitHub and create a pull request with this branch name
  • Run pullit from command line, select the relevant pull request to checkout locally
  • Read the contents of /tmp/c

Disclosure Timeline

  • Oct 24th, 2017 - Initial Disclosure
  • Jan 11th, 2018 - Second Reminder
  • Feb 14th, 2018 - Public GitHub issue opened
  • Feb 14th, 2018 - First response from maintainer
  • Feb 14th, 2018 - Vulnerability published
  • Feb 19th, 2018 - Vulnerability fixed

Remediation

Upgrade pullit to version 1.4.0 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Credit
Liran Tal
CWE
CWE-94
Snyk ID
npm:pullit:20180214
Disclosed
13 Feb, 2018
Published
14 Feb, 2018