Show Notes

159 - GitHub to GitLab RCE and a new PHP Supply Chain Attack

Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.

As the API responses are trusted, an attacker could setup that own attack server and provide a custom github_domain when importing so that an attacker controllered server will be used instead of the actual GitHub.com API (this is to support Enterprise customers with self-hosted GitHub instances). the build_command method basically takes in the object right from the API so an attacker has complete control over the object, and uses it without any validation, allowing an attacker to craft a malicious to_s (Ruby’s version of a toString or __string__ type method) that will contain Redis commands.

An argument injection leading to remote code execution on Packagist server. The vulnerability comes from how workers will try to update the package’s main documentation page by reading the package’s readme file use hg’s cat command.

When it is a .txt file it will use the source control system driver’s getFileContent method. For Mercurial repositories then leads to calling hg cat -r <branch> <file> where <branch> and <file> are attacker controlled values. Without any validation on the branch name one could inject a --config argument that will override the default behavior of hg cat and make it execute arbitrary shell commands.

--config=alias.cat=!hg cat -r :payload.sh|sh;.txt

They also found that the GitDriver had a similar issue, where the branch and file values were reflected into a get show <branch>:<file> however the mandatory suffix of :<file> prevented exploitation.

Authentication to the Fortinet management panel for various applications could be bypassed by meeting two conditions, the resolved client-ip is 127.0.0.1 and the user-agent is Report Runner

The first could be met by providing a crafted Forwarded header, the second is always under the control of the attacker anyhow. With that they could access administrative functionality, though they could not change the admin user’s password. Instead they were able to add an extra SSH key to the admin user and use the command line interface.

Just another thing to be testing for, it was found that the Apache Commons Text library when doing a StringLookup will do variable expansion. Supporting several prefixes like url to fetch data from a remote url or script to execute a Javax string. This is just a reported issue in the core library, actual vulnerable instances will vary depending on how the lookup is accessed. It would make sense to start tossing something like ${url:https://example.com} into your testing though just to see what happens to ping your URL.