Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bitbucket is a service similar to Github. The authors of this post were after an RCE bug. Since they know that many platforms will end up with calls to git, they wanted a way to trace this.

To trace this, they pspy, a way to snoop on processes without being root. In particular, they were looking for calls to git in the process logs with the canary PEWPEW inside of it. They triggered a bunch of requests to see what would happen.

First, they found a argument injection bug. However, this bug appears to be unexploitable because of the command that was the arguments could be added to. Eventually, they ended up tracing a call to git archive where the value of the --prefix= could be controlled.

Bitbucket is written in Java. Since this is the case, the input is likely parameterized when being inserted into a command to execute, making it unlikely that argument injection is possible. However, passing in nullbytes via %00 in the parameters seems to bypass this limitation.

By adding padding%00--option%00padding, the prefix option was escaped and they got the error message "--option is not a option a git subcmd". Amazing! They had escaped the command by simply fuzzing and trying different things!

git archive has the amazing flag --exec. Passing in a command for this parameter, alongside the flag --remote-flag with a file URI would lead to code execution with this parameter. At the very end, the injection input was x%00--exec=/bin/bash+-c+'touch+/tmp/haced%23'%00--remote=file:///%00x.

After writing the exploit, the authors wondered why the nullbytes being added worked. Atlassian had patched this bug by disallowing nullbytes in the parameters of this call. This is because the function Java_java_lang_ProcessImpl_forkAndExec was being used to execute commands; this takes a char array as the command.

Since the char arrays are separated by nullbytes, they were transforming the amount of arguments used in the low level Java call. This allowed for the injection of the new parameters. Pretty neat!

Sometimes fuzzing and trying random things is more important than understanding the entire eco-system through and through. I probably would not have found this, simply because I would have assumed the Java API was secure against this. Overall, good article!