[Packagist] Arugment Injection in Mecurial Driver leading to RCE
An argument injection leading to remote code execution on Packagist server. The vulnerability comes from how workers will try to update the package’s main documentation page by reading the package’s readme
file use hg
’s cat
command.
When it is a .txt
file it will use the source control system driver’s getFileContent
method. For Mercurial repositories then leads to calling hg cat -r <branch> <file>
where <branch>
and <file>
are attacker controlled values. Without any validation on the branch name one could inject a --config
argument that will override the default behavior of hg cat
and make it execute arbitrary shell commands.
--config=alias.cat=!hg cat -r :payload.sh|sh;.txt
They also found that the GitDriver
had a similar issue, where the branch and file values were reflected into a get show <branch>:<file>
however the mandatory suffix of :<file>
prevented exploitation.