Given my interest in SCM and CI systems I was a little keen to see how this is done at Mozilla as part of their bug bounty program. Thanks to freddy I was granted Level 1 access to Mozilla’s SCM at hg.mozilla.org in late 2022. As Mozilla is a pretty transparent company I found the version-control-tools repository which contains the code and configuration behind hg.mozilla.org. I spent a couple of hours to a very few days looking at this code, setting up a simplified test system, and popping shells on the infrastructure around Christmas 2022.
I was staring at this part of the code for way too long already: module Jobs class ConfirmSnsSubscription < ::Jobs::Base sidekiq_options retry: false def execute(args) return unless raw = args[:raw].presence return unless json = args[:json].presence return unless subscribe_url = json["SubscribeURL"].presence require "aws-sdk-sns" return unless Aws::SNS::MessageVerifier.new.authentic?(raw) # confirm subscription by visiting the URL open(subscribe_url) end end end The above code is an excerpt from Discourse’s AWS notification webhook handler. This handler can be triggered without further authentication under https://somedicourseinstance/webhooks/aws.
Discourse offers the possibility to install themes from remote Git repositories. Before this commit it was possible to inject OS commands via a maliciously crafted theme which is pulled via Git. The root cause for the issue lay in the parsing of the .discourse-compatibility file which is a yaml file containing a mapping of the target discourse version and a git version to be checked out for that specific discourse version.
While attendig WarCon in 2016 greg and I sat together in .mario’s talk My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, “e”, his rants about MSIE reminded us of the fact that we both had the task of finding a Mosaic 0day still on our agenda. So the evening after the talk we sat down together and started approaching that goal. The latest version of Mosaic for Unix which can be found at ftp://ftp.
I’ve gotten a couple of questions about exploitation for the recent RCE in Git. So here we go with some technical details. TL;DR Here is a PoC repository. Exploitation The .gitmodules file looks as follows: [submodule "x:x"] path = x:x url = -u./payload The actual command being injected is set by the url, -u./payload points the upload-pack flag of git clone to the payload shell script. Note also the : within the path, this part is needed to actually get the payload script executed.