In this type of attack, an attacker tricks a user into running a specially crafted script on the web server. The specially crafted script can then cause buffer overflow on the web server and execute arbitrary code on the server. In GitHub, we have a variety of ways to login to the application from our browser. We can login via GitHub.com, GitHub Enterprise, GitHub Pages, GitHub Mobile, GitHub Enterprise, GitHub Learning, GitHub Gists, GitHub Enterprise, GitHub Open Source, GitHub Enterprise, GitHub Pro, GitHub Enterprise, GitHub on the App Store, or via SSH. Once we login to GitHub, we can then create a new repository or fork an existing one. The next step depends on the type of application. For applications hosted on GitHub.com, we can edit the repository pages to add a “Get started” link that directs users to the documentation. For GitHub Enterprise, GitHub Pages, GitHub Mobile, GitHub Enterprise, GitHub Learning, GitHub Gists, GitHub Enterprise, GitHub Open Source, GitHub Enterprise, GitHub Pro, GitHub Enterprise, GitHub on the App Store, or GitHub SSH, we can add instructions in the README on how to access the repository. Next, we need to find a vulnerable script in the repository. In GitHub, all the repositories are public and can be viewed by anyone. GitHub provides a search feature that enables us to search the repository for any specific phrase or keyword. The next step is to craft a malicious URL to add to the search query. The URL
Finding vulnerable scripts
Finding a vulnerable script on GitHub requires some sleuthing. The best way to find vulnerable scripts is to search for vulnerabilities in the repository’s README. It is also possible to search for vulnerable scripts by searching for “readme” or “README.md” in the repository name. The vulnerability marked with CVE-2022-0359 is located at “README.md.”
Once you have found the vulnerable script, it is recommended that you craft a malicious URL like this one:
https://github.com/
Review of Vulnerable Scripts in GitHub
We can search the GitHub repository to find vulnerable scripts and then craft a malicious URL. We can search for “CVE-2022-0359”, which is a script that triggers the buffer overflow. Once we have discovered a vulnerable script, we need to craft a malicious URL so that it matches the vulnerable script in the repository. We will then add this URL to our search query on GitHub.
Step 1: Create a new repository or fork an existing one
To craft a malicious URL, we need to know the GitHub repository name and our malicious script. For example, in GitHub, my username is “Adam M.” The repository name for my “Adam M.” account is “adamm.github.com” and the repository URL is https://adamm.github.com/ .
The next step will depend on the type of application:
For applications hosted on GitHub Enterprise, GitHub Pages, GitHub Mobile, GitHub Enterprise, GitHub Learning, GitHub Gists, GitHub Enterprise, or on the App Store or via SSH:
Next step is to find a vulnerable script in the repository and craft a malicious URL to add to the search query: https://adamm-repository-name-or-url-here/
Create account on GitHub and login to the application
This is the part where hopefully the user falls for our malicious URL. Just like in any other application, we need to create a fake username and password to login. Now that we have logged into the application, we can find a vulnerable script (the search feature should help us). To prevent detection, we need to make sure that the script doesn't contain any suspicious activity such as referencing an external file or specific directory, or capturing the user's input from their keyboard. The next step will be to run the script on a vulnerable point of the application.
Timeline
Published on: 01/26/2022 12:15:00 UTC
Last modified on: 08/26/2022 19:15:00 UTC
References
- https://huntr.dev/bounties/a3192d90-4f82-4a67-b7a6-37046cc88def
- https://github.com/vim/vim/commit/85b6747abc15a7a81086db31289cf1b8b17e6cb1
- https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html
- https://security.gentoo.org/glsa/202208-32
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0359