Fossil SCM
RCE using a fake _FOSSIL_ file in a repository
980a72deddbce75…
· opened 5 years, 7 months ago
- Type
- Code_Defect
- Priority
- Immediate
- Severity
- Critical
- Resolution
- Fixed
- Subsystem
- —
- Created
- Aug. 17, 2020 8:44 a.m.
Fossil does not allow a file named "_FOSSIL_" to be checked in, but it
does allow it to be checked out. A malicious user with check-in privilege
can create a rogue check-in that includes a new "_FOSSIL_" file that
contains harmful values for settings such as "last-sync-url" and "ssh-command".
When a victim updates to that rogue check-in and then tries to run some
other command that involves auto-sync, the malicious "ssh-command" is run
resulting in RCE on the victims machine.
This problem was discovered by Max Justicz
Comments (3)
Fossil does not allow a file named "_FOSSIL_" to be checked in, but it
does allow it to be checked out. A malicious user with check-in privilege
can create a rogue check-in that includes a new "_FOSSIL_" file that
contains harmful values for settings such as "last-sync-url" and "ssh-command".
When a victim updates to that rogue check-in and then tries to run some
other command that involves auto-sync, the malicious "ssh-command" is run
resulting in RCE on the victims machine.
This problem was discovered by Max Justicz
Fixed in . As discussed, the names _FOSSIL_ and .fslckout, but not the long-since-unused original name of .fos, are now outright prohibited by manifest_parse(), as are either of those names with any of the suffixes (-wal, -shm, and -journal). The prohibition applies to the whole tree, not just the top directory.