Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

ExifTool is a Perl library for reading, writing and manipulating image, audio and other formats of files. Gitlab is a code repository that is similar to Github. At Gitlab, they will pay out 50% (now 100% after this report) for findings in open source projects they use in order to ensure their own products are secure.

ExifTool simply ignores file extensions and attempts to figure out the format on the fly in depending on the input. Because of this, Gitlab's filter for the file system on the conversion can be bypassed for the tool.

One of the supported file formats is DjVu. When parsing DjVu annotations, the tokens use the insecure eval function in Perl to convert C escape sequences. Anytime the system call is made or something is directly interpreting code on the fly, this has to be looked into.

ExifTool attempted to validate and properly escape the input. However, a backslash followed by a newline could be used to break the parsing! Once the parsing was broken, it allowed for quotes to be added, escaping the string and inserting arbitrary Perl commands.

This code injection allows for RCE on the Gitlab servers, which is demonstrated by popping a shell to read process information. Even though this was in a 3rd party tool, Gitlab paid out 20K for the finding.