![]() ![]() GitHub to the rescue! GitHub is not only an affordable resource but also features a great open-source community. How would the company hire developers for so many diverse locations?.How would the company maintain workflow visibility and avoid redundancies in such a large workforce?.We could best summarize Decathlon’s problems as: The company has over 1600 stores in 57 countries, with more than 87,000 employees.Įvery company, no matter how large or small, inevitably experiences challenges and obstacles. 5 Fixed - GitHub Desktop v1.3.Let’s consider the case of Decathlon, the world’s largest sporting goods retail brand.9 Reported to GitHub via HackerOne #397045.Trusting GitHub Desktop URLs - Always open these types of links in the associated app ✓. ![]() He/She would be able to achieve remote code execution on the machines of GitHub Desktop users on OSX.Ī one-click RCE has the following requirements: The attack scenario: An attacker can include an OSX app on his repository and distribute an evil link, for example in a README.md or in the page of a given project. ![]() Otherwise, no interaction required, as shown in the second part of the video PoC. If github-desktop-poc wasn’t cloned previously, the user would need to click clone, but the specified file would be opened immediately after this action. system ( "open -a calculator.app" ) s = socket. Since the app is cloned through Git the OS will not prompt the user to confirm this action. First, I thought that OSX would be able to detect that this app was downloaded from the Internet. However, a respository can contain an app for OSX, which is basically a directory with the Application Bundle. Opening an URL like this would pop a calculator, so at this point it was possible to escape the repository directory, and arbitrary apps or files could be opened in the filesystem. What if… we provide a filepath parameter like: "./././././././././././Applications/Calculator.app" ? If this repo doesn’t exist, the app prompts the user to clone it and then opens the file. One of the supported actions in this URL is openRepo, which automatically opens a given file in a repository. I started playing with x-github-client://, which is the URI scheme used by GitHub Desktop. Maybe not in every OS? Well, you probably have seen this before: If something like this was reported previously, it’s probably safe to say that it is fixed. I noticed that reported an RCE on GitHub Desktop last year: You can find the public list of bug bounty hunters and vulnerabilities here: But, guess what? It was out of scope for the event! It’s also out of scope in the normal program, but you can read that “occasionally, exceptional reports are rewarded at our discretion on a case by case basis.” The Vulnerability ![]() I started playing with GitHub Desktop and found a way to achieve RCE in OSX. I like to hack software I use everyday, because I already know lots of features in advance, so I felt GitHub would be a good target. One of the targets of this event was GitHub. I was invited to H1-702 2018, a HackerOne live-hacking event in Las Vegas that paid over $500k dollars in bounties. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |