Arbitrary Command Execution Affecting pullit package, versions <1.4.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    0.27% (69th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:pullit:20180214
  • published 14 Feb 2018
  • disclosed 13 Feb 2018
  • credit Liran Tal

How to fix?

Upgrade pullit to version 1.4.0 or higher.

Overview

pullit is Display and pull branches from GitHub pull requests.

Affected versions of the package are vulnerable to Arbitrary Code Execution. due to an insecure use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands. pullit uses this function in order to call git commands, which originate from user input in terms of a carefully created remote branch name on GitHub, which pullit pulls branch names from.

PoC

  • Create a branch that could potentially terminate an exec() command and concatenate to it a new command: git checkout -b ";{echo,hello,world}>/tmp/c”
  • Push it to GitHub and create a pull request with this branch name
  • Run pullit from command line, select the relevant pull request to checkout locally
  • Read the contents of /tmp/c

Disclosure Timeline

  • Oct 24th, 2017 - Initial Disclosure
  • Jan 11th, 2018 - Second Reminder
  • Feb 14th, 2018 - Public GitHub issue opened
  • Feb 14th, 2018 - First response from maintainer
  • Feb 14th, 2018 - Vulnerability published
  • Feb 19th, 2018 - Vulnerability fixed

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.8 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical