

GitHub RCE by Environment variable injection Bug Bounty writeup - helper
https://gist.github.com/joernchen/a7c031b6b8df5d5d0b61

======
mappu
I decided to actually read man ld.so and came across this:

    
    
        --ignore-rpath LIST
            Ignore RPATH and RUNPATH information in object  names  in  LIST.
            This  option  has  been  supported by glibc2 for about one hour.
            Then it was renamed into:
        --inhibit-rpath LIST
    

I'm not sure if it's a joke or an incredible testament to backwards
compatibility.

I've been writing a COFF linker recently, and have been reading lots of
comments and man pages about linkers and loaders. The more i read, i think
dynamic linking isn't such a good idea after all.

------
userbinator
They must've expected usernames to not contain anything other than
alphanumeric characters... this is yet another example of the fact that if you
write code that consumes external, untrusted input, always expect every single
byte value from 0 to 0xFF could be present, and deal with them accordingly.

------
krallja
We prevent this specific attack in Kiln by only allowing specific environment
variables to be set.

------
jwcrux
Any idea what the bounty was for this finding?

------
0x0
Will this affect bitbucket as well?

~~~
guipsp
No.

~~~
0x0
Why not?

Is it specific to github's "gerve" application?

What and where is the bug exactly - I mean, how can a username with linefeeds
end up setting environment variables? And what username is being set - ssh?
github account? wouldn't you need to use exactly the username "git" when
ssh'ing in to github to trigger this gerve app anyways?

~~~
SolarNet
Read closely and you'll see the answers in the link:

Yes. "it is possible to inject some environment variables into gerve"

Because it's his git hub username. You answered that question yourself:

"And what username is being set - ssh? github account? wouldn't you need to
use exactly the username 'git' when ssh'ing in to github to trigger this gerve
app anyways?"

So if it's not his ssh username it must be his... 'github username'! it's the
only other possibility you could think of right?

...

