Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

OS Command Injection in Git-it #3

Closed
dwisiswant0 opened this issue Aug 5, 2021 · 2 comments
Closed

OS Command Injection in Git-it #3

dwisiswant0 opened this issue Aug 5, 2021 · 2 comments
Assignees
@dwisiswant0
Labels
disclosed Disclosure/advisory has been published & disclosed poc Proof-of-concept dropped

Comments

@dwisiswant0
Copy link
Owner

dwisiswant0 commented Aug 5, 2021
edited
Loading

Description

Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution).

CVE ID: CVE-2021-44685

Proof-of-Concept

Vulnerable code: https://github.com/jlord/git-it-electron/blob/4f397578eb057b6b4f8d2f3ffcccc57c5213e463/lib/verify/branches_arent_just_for_birds.js#L55

Git it OS Command Injection Proof-of-Concept

See in high-quality video here.

Impact

This issue may lead to arbitrary command execution.

References
@dwisiswant0 dwisiswant0 added the needs triage Coordinated disclosure that need to be triaged label Aug 5, 2021
@dwisiswant0 dwisiswant0 self-assigned this Aug 5, 2021
@github-actions
Copy link

github-actions bot commented Dec 4, 2021

It seems like it's been 120-day, has this disclosure not received a response from the vendor yet? Please make a decision in the next 2-day.

@github-actions github-actions bot added the deadline Disclosure deadline (120-day) reached & make a decision for disclosure label Dec 4, 2021
@dwisiswant0 dwisiswant0 added TBD Advisory to be determined and removed needs triage Coordinated disclosure that need to be triaged labels Dec 4, 2021
@dwisiswant0
Copy link
Owner Author

No confirmation at all. CVE requested.

@github-actions github-actions bot removed TBD Advisory to be determined deadline Disclosure deadline (120-day) reached & make a decision for disclosure labels Dec 5, 2021
@dwisiswant0 dwisiswant0 added the TBD Advisory to be determined label Dec 6, 2021
@dwisiswant0 dwisiswant0 added disclosed Disclosure/advisory has been published & disclosed and removed TBD Advisory to be determined labels Dec 6, 2021
@dwisiswant0 dwisiswant0 changed the title OS Command Injection in huntr#1626226318821 OS Command Injection in Git-it Dec 6, 2021
@dwisiswant0 dwisiswant0 added the poc Proof-of-concept dropped label Dec 6, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@dwisiswant0 dwisiswant0

Labels
disclosed Disclosure/advisory has been published & disclosed poc Proof-of-concept dropped
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dwisiswant0