GitHub recently has awarded $18,000 to a researcher after he found a bug in the GitHub Enterprise management console which could have resulted in a remote code execution flaw.
The company has patched this vulnerability by the end of January, but the news about the flaw did not surface until this week when the GitHub and a German independent pen-tester named Markus Fenske disclosed it.
GitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organisation’s local network. This vulnerability is actually a combination of two bugs, Fenske told Thursday.
One main problem stems from the fact that they are using a static value to sign the Ruby on Rails session secret for the console. This secret value is supposed to be a randomly generated one per-machine value which is used to sign the cookie, not a static one.
GitHub has acknowledged on Tuesday that this static secret was only supposed to be used for their testing and development, but “an unrelated change of the file permissions prevented the intended session secret from being used.”
“For testing purposes, they have replaced it with a static value and just forgot to change it back,” Fenske told. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.”
While GitHub shouldn’t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialised with Marshal. Marshal, a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialised data.
By knowing this secret, any attacker could have forged a cookie, deserialized by the Marshal.load, and would have tricked GitHub into running whatever code he wanted.
Source: Threatpost