Do your applications use this vulnerable package?
Test your applications
Overview
pullit
is Display and pull branches from GitHub pull requests.
Affected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the eval()
function. Node.js provides the eval()
function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. pullit
uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.
PoC
- Create a branch that could potentially terminate an exec() command and concatenate to it a new command:
git checkout -b ";{echo,hello,world}>/tmp/c”
- Push it to GitHub and create a pull request with this branch name
- Run pullit from command line, select the relevant pull request to checkout locally
- Read the contents of
/tmp/c
Disclosure Timeline
- Oct 24th, 2017 - Initial Disclosure
- Jan 11th, 2018 - Second Reminder
- Feb 14th, 2018 - Public GitHub issue opened
- Feb 14th, 2018 - First response from maintainer
- Feb 14th, 2018 - Vulnerability published
- Feb 19th, 2018 - Vulnerability fixed
Remediation
Upgrade pullit
to version 1.4.0 or higher.
References
CVSS Score
8.8
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionRequired
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityHigh
- Credit
- Liran Tal
- CWE
- CWE-94
- Snyk ID
- npm:pullit:20180214
- Disclosed
- 13 Feb, 2018
- Published
- 14 Feb, 2018