InfoSec LAB

Command_Injection

It was discovered that the prod account has a sudo privilege to execute a Python script located at /opt/internal_apps/clone_changes/clone_prod_change.py, along with a wildcard bit

clone_prod_change.py

prod@editorial:~$ cat /opt/internal_apps/clone_changes/clone_prod_change.py
#!/usr/bin/python3
 
import os
import sys
from git import Repo
 
os.chdir('/opt/internal_apps/clone_changes')
 
url_to_clone = sys.argv[1]
 
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])

Taking a look into the Python script, it uses the GitPython module to clone a directory to the /opt/internal_apps/clone_changes/new_changes directory. Interesting part is the given option, -c protocol.ext.allow=always, as it is a risky to allows all protocols, which might expose the system to malicious URLs.

Looking into it further online reveals a vulnerability; CVE-2022-24439 Moving on to [[Editorial_Privilege_Escalation#|Privilege Escalation]] phase

InfoSec LAB

Explorer

Editorial_Command_Injection

Command_Injection

clone_prod_change.py

Interactive Graph View

Table of Contents

Backlinks