Fix shell code injection and merging #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Good catch! Honestly, I'm just happy to see that someone is using this thing. I think your fix would still allow injection if the filename contained |
blochberger
added a commit
to blochberger/WordGit
that referenced
this pull request
Apr 10, 2020
The previous code used double quotes to surround paths, which still
allows environment variables and shell code to be evaluated by the
shell. Hence, we use single quotes now, to avoid this problem.
PoC exploit:
#!/bin/sh -eux
POC=$(mktemp -d)
mkdir -p "$POC"
cd "$POC"
git init
git config difftool.Word.cmd '/path/to/WordGit/diff.js "$LOCAL" "$REMOTE"'
# Test case Gaelan#1
touch '`touch foo`.docx'
git add ./*.docx
test ! -e foo # Will fail if file 'foo' exists (sanity check)
git difftool -t Word --cached
test ! -e foo # Will fail if file 'foo' exists. Oops.
git reset --hard
# Test case Gaelan#2
touch "'"'`touch bar`.docx'"'"
git add ./*.docx*
test ! -e bar # Will fail if file 'bar' exists (sanity check)
ls
git difftool -t Word --cached
test ! -e bar # Will fail if file 'bar' exists. Oops.
git reset --hard
# Cleanup
#rm -rf "$POC"
You need to change the path to WordGit. Then you can run it and test the
exit code. If the exit code is 1, the exploit worked. If the exit code
is 0 the exploit is fixed.
blochberger
force-pushed
the
pr/shellcode
branch
from
37fe0be
to
e5af941
Compare
|
You are correct. I amended my change, so that single quotes in file names are now escaped as well. See also updated PoC. |
The previous code used double quotes to surround paths, which still
allows environment variables and shell code to be evaluated by the
shell. Hence, we use single quotes now, to avoid this problem.
PoC exploit:
#!/bin/sh -eux
POC=$(mktemp -d)
mkdir -p "$POC"
cd "$POC"
git init
git config difftool.Word.cmd '/path/to/WordGit/diff.js "$LOCAL" "$REMOTE"'
# Test case Gaelan#1
touch '`touch foo`.docx'
git add ./*.docx
test ! -e foo # Will fail if file 'foo' exists (sanity check)
git difftool -t Word --cached
test ! -e foo # Will fail if file 'foo' exists. Oops.
git reset --hard
# Test case Gaelan#2
touch "'"'`touch bar`.docx'"'"
git add ./*.docx*
test ! -e bar # Will fail if file 'bar' exists (sanity check)
ls
git difftool -t Word --cached
test ! -e bar # Will fail if file 'bar' exists. Oops.
git reset --hard
# Cleanup
#rm -rf "$POC"
You need to change the path to WordGit. Then you can run it and test the
exit code. If the exit code is 1, the exploit worked. If the exit code
is 0 the exploit is fixed.
blochberger
force-pushed
the
pr/shellcode
branch
from
e5af941
to
cd2c12c
Compare
The merged result was discarded and the remote document was always used after a merge.
|
I also added a fix for issue #1. |
blochberger
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The previous code used double quotes to surround paths, which still allows environment variables and shell code to be evaluated by the shell. Hence, we use single quotes now, to avoid this problem.
PoC exploit:
You need to change the path to WordGit. Then you can run it and test the exit code. If the exit code is 1, the exploit worked. If the exit code is 0 the exploit is fixed.