CVE-2024-38366: Critical Vulnerability in trunk.cocoapods.org Authentication Server Allows Server-Side RCE Exploit

CVE-2024-38366 is a critical vulnerability affecting the trunk.cocoapods.org authentication server used by the CocoaPods dependency manager. CocoaPods is an essential tool for iOS and macOS developers for managing software dependencies. The vulnerability was discovered in the part of trunk that verifies users have a real email address on signup.

The email verification system, which relied on a rfc-822 library, executed shell commands to validate email domain MX records via DNS MX lookups. Unfortunately, this left open the possibility of manipulation, allowing an attacker to execute commands on the trunk server and gain root access to the server and the underlying infrastructure.

The vulnerability was patched server-side with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 in September 2023. Following discovery of this remote code execution (RCE), a full user-session reset was triggered since an attacker could have potentially used this exploit to write to any Podspec in trunk.

Here is a snippet of the original vulnerable code

import subprocess

def validate_email(email):
    domain = email.split('@')[-1]
    command = f"dig +short MX {domain}"
    output = subprocess.check_output(command, shell=True)
    return True if output else False

In this code, we can see how the vulnerability originates from the use of subprocess.check_output with shell=True, allowing an attacker to inject malicious commands to run on the trunk server.

Exploit Details

An attacker could potentially manipulate the email validation function during signup to include additional, unintended shell commands that would then execute on the server. With carefully crafted input, an attacker could gain root access to the trunk server, thereby compromising CocoaPods' infrastructure.

Here's an example of malicious input crafted to exploit the vulnerability

attacker@email.com$(malicious_command_here)

Fortunately, the issue was promptly patched, and a full user-session reset was initiated, mitigating any potential exploits resulting from this vulnerability.

Patch

The patch applied in commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3 removed the reliance on shell commands for email validation and addressed the vulnerability:

import dns.resolver

def validate_email(email):
    domain = email.split('@')[-1]
    try:
        dns.resolver.query(domain, "MX")
        return True
    except dns.resolver.NXDOMAIN:
        return False

This patch replaces the use of subprocess.check_output with the dns.resolver library, which mitigates the risk of command injection and effectively patches the vulnerability. It is essential to keep CocoaPods and its dependencies up-to-date to prevent exploitation of previously known vulnerabilities.

Timeline

Published on: 07/01/2024 21:15:03 UTC
Last modified on: 08/02/2024 04:04:25 UTC