CVE-2018-13385 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Severity

75%

Complexity

99%

Confidentiality

106%

There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS from 1.0b2 before 2.7.6 are affected by this vulnerability.

There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS from 1.0b2 before 2.7.6 are affected by this vulnerability.

CVSS 3.0 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Demo Examples

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CWE-88

The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.


               
}
system(cmd);

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.

Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120).

Overview

Type

Atlassian Sourcetree 1.0

First reported 6 years ago

2018-07-24 13:29:00

Last updated 4 years ago

2020-05-11 16:29:00

Affected Software

Atlassian Sourcetree 1.0 Beta 2 for macOS

1.0
macos

Atlassian Sourcetree 1.0 Beta 3 for macOS

1.0
macos

Atlassian Sourcetree 1.0 Beta 4 for macOS

1.0
macos

Atlassian Sourcetree 1.0 Beta 5 for macOS

1.0
macos

Atlassian Sourcetree 1.0 Release Candidate 1 for macOS

1.0
macos

References

https://jira.atlassian.com/browse/SRCTREE-5846

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.