-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[LOTP] Bash (wut ?!) #29
Labels
Comments
Exactly.
https://slides.com/tr4l/2024#/5/6
Le ven. 30 août 2024, 01:26, Adnan Khan ***@***.***> a écrit :
… Something like this? So it seems like any form of injection where we can
pass newlines into the environment file -> RCE on default run steps.
on:
pull_request:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: ***@***.***
- name: Foobar
run: |
echo "FOOBAR=$PR_BODY" >> $GITHUB_ENV
env:
PR_BODY: ${{ github.event.pull_request.body }}
- run: |
echo "Hello"
—
Reply to this email directly, view it on GitHub
<#29 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACXXIZS2GJ3E2NJZ7BOV2F3ZT6UZVAVCNFSM6AAAAABGKXVDMWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJZGQYTOMRZGU>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
An actual vuln GHSA GHSA-h52q-xhg2-6jw8 |
Hey that’s pretty cool! GHSL has been doing some amazing work reporting issues to OSS projects. |
More ideas from the TDF CTF |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bash, but with a twist
Bash in itself is used for executing stuff, so this is somehow a "normal" usage, but with a twist
Configuration files
Env variable
Documentation
https://www.gnu.org/software/bash/manual/bash.html#Bash-Variables
Github example
In this example we can inject a bashrc, as bash is the default shell on runner.
Some runner use the following default command for shell
/usr/bin/bash --noprofile --norc -e -o pipefail "/tmp/computed/step.sh"
This example will not run any bashrc or initrc because of the --noprofile and -norc.
However, this will execute the file defined in
BASH_ENV
, so file file write + env injection, the second step can be injected, without anything visible that step that indicate an injection.Additional notes
This is the default on github action, so yeah a lot of potential target
The text was updated successfully, but these errors were encountered: