8 CVE-2024-52308

RCE Path Traversal
 

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used.
https://nvd.nist.gov/vuln/detail/CVE-2024-52308

Categories

CWE-77 : Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. an attack-oriented phrase for this weakness. Note: often used when "OS command injection" (CWE-78) was intended. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) If at all possible, use library calls rather than external processes to recreate the desired functionality. If possible, ensure that all external commands called from the program are statically created. Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands. Assign permissions that prevent the user from accessing/opening privileged files. injection of sed script syntax ("sed injection") API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts. anti-spam product allows injection of SNMP commands into confiuration file image program allows injection of commands in "Magick Vector Graphics (MVG)" language. Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution. Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. injection of sed script syntax ("sed injection") injection of sed script syntax ("sed injection")

References

security-advisories@github.com


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:github:cli:*:*:*:*:*:*:*:* < 2.62.0


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
136 LDAP Injection
High
15 Command Delimiters
High
183 IMAP/SMTP Command Injection
Medium
248 Command Injection
High
40 Manipulating Writeable Terminal Devices
Very High
43 Exploiting Multiple Input Interpretation Layers
High
75 Manipulating Writeable Configuration Files
Very High
76 Manipulating Web Input to File System Calls
Very High