RCE in GitLab when removing metadata using ExifTool
Original Post:
We discussed this vulnerability during Episode 77 on 18 May 2021
The vulnerability itself is in ExifTool, in parsing DjVu archive metadata it will parse the token, do some validation on it to make sure its safe and call eval
on it to parse the C-Style string escapes within the string. The problem is the validation trips up on handling an escaped newline, ignoring the newline character and thinking the next character is the escaped one. Leading to the case where a backslash followed by a newline then a quote will be treated as though the quote is escaped, allowing for an unescaped quote to be injected and and arbitrary perl to be added to the eval
string.