Of course I took a peek at the Claude Code source 🙈.

What I found was a very entertaining vulnerability which is now fixed since Claude Code version 2.1.118.

Just wading through the massive codebase manually wasn’t really a feasible approach. So took an army of AI Agents to…. no wait actually I did not do that, the following was all manual work. :P

I started by looking at different configuration options and tried to see what’s actually “useful” from an attacker’s perspective. On the way, in main.tsx I came across eagerLoadSettings, it eagerly loads settings, obviously:

Given my interest in SCM and CI systems I was a little keen to see how this is done at Mozilla as part of their bug bounty program. Thanks to freddy I was granted Level 1 access to Mozilla’s SCM at hg.mozilla.org in late 2022. As Mozilla is a pretty transparent company I found the version-control-tools repository which contains the code and configuration behind hg.mozilla.org.

I spent a couple of hours to a very few days looking at this code, setting up a simplified test system, and popping shells on the infrastructure around Christmas 2022. In this post I’ll outline one of two authenticated RCE flaws I identified and reported to Mozilla on the 26th of December in 2022.

I was staring at this part of the code for way too long already:

module Jobs

  class ConfirmSnsSubscription < ::Jobs::Base
    sidekiq_options retry: false

    def execute(args)
      return unless raw = args[:raw].presence
      return unless json = args[:json].presence
      return unless subscribe_url = json["SubscribeURL"].presence

      require "aws-sdk-sns"
      return unless Aws::SNS::MessageVerifier.new.authentic?(raw)

      # confirm subscription by visiting the URL
      open(subscribe_url)
    end

  end

end

The above code is an excerpt from Discourse’s AWS notification webhook handler. This handler can be triggered without further authentication under https://somedicourseinstance/webhooks/aws. In the above code args[:raw] is the raw POST body and args[:json] is the POST body but parsed as JSON.

Discourse offers the possibility to install themes from remote Git repositories. Before this commit it was possible to inject OS commands via a maliciously crafted theme which is pulled via Git.

The root cause for the issue lay in the parsing of the .discourse-compatibility file which is a yaml file containing a mapping of the target discourse version and a git version to be checked out for that specific discourse version.

The version information is passed to

While attendig WarCon in 2016 greg and I sat together in .mario’s talk My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, “e”, his rants about MSIE reminded us of the fact that we both had the task of finding a Mosaic 0day still on our agenda. So the evening after the talk we sat down together and started approaching that goal.

The latest version of Mosaic for Unix which can be found at ftp://ftp.ncsa.uiuc.edu/Mosaic/Unix/binaries/2.7b/ is 2.7b, released roughly 24 years ago. So we got the static binary for Linux and threw it in a somewhat recent 32bit Ubuntu VM.