About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

GitHub Pages - Multiple RCEs via insecure Kramdown configuration- 278

William BowlingPosted 5 Years Ago
  • Github pages is a static site hosting platform via Github Enterprises. The creation process of these sites was interesting though!
  • The YAML parsers of the configuration used Kramdown. After reviewing the source code for Kramdown, the author noticed several interesting paths...
  • First, a path allowed for the loading of arbitrary files into Ruby. Additionally, it did not protect against directory traversal! So, if he could find a controllable file, the author could have an easy RCE. By adding a site (which was put into the tmp directory briefly) the author could execute arbitrary code.
  • Secondly, another path was found...this path allowed for the arbitrary loading of top-level Ruby objects, as well as controlling the first parameter. Using a brute force script to find all loadable objects, another arbitrary require was found! The two bugs used the same file read to get the payload to execute.
  • In order to get the file to stay around for longer, the author created a VERY large file so that the race could be won.
  • Usually, RCEs are a command injection or some type of memory corruption. In this case, it was an arbitrary file include! I find these bugs fairly interesting; they are definitely something that I had never thought of before!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed