Arbitrary Command Execution Affecting pullit Open this link in a new tab package, versions <1.4.0


0.0
high
  • Exploit Maturity

    Mature

  • Attack Complexity

    Low

  • User Interaction

    Required

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    npm:pullit:20180214

  • published

    14 Feb 2018

  • disclosed

    13 Feb 2018

  • credit

    Liran Tal

Introduced: 13 Feb 2018

CWE-94 Open this link in a new tab

Overview

pullit is Display and pull branches from GitHub pull requests.

Affected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. pullit uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.

PoC

  • Create a branch that could potentially terminate an exec() command and concatenate to it a new command: git checkout -b ";{echo,hello,world}>/tmp/c”
  • Push it to GitHub and create a pull request with this branch name
  • Run pullit from command line, select the relevant pull request to checkout locally
  • Read the contents of /tmp/c

Disclosure Timeline

  • Oct 24th, 2017 - Initial Disclosure
  • Jan 11th, 2018 - Second Reminder
  • Feb 14th, 2018 - Public GitHub issue opened
  • Feb 14th, 2018 - First response from maintainer
  • Feb 14th, 2018 - Vulnerability published
  • Feb 19th, 2018 - Vulnerability fixed

Remediation

Upgrade pullit to version 1.4.0 or higher.