GitHub Code Execution Bug Fetches $18,000 Bounty

GitHub awarded $18,000 to a researcher after he came across a remote code execution bug in the company’s enterprise management console.

GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.

The company patched the vulnerability at the end of January, but news of the flaw didn’t surface until this week when GitHub and Markus Fenske, a German independent pen-tester disclosed it.

GitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization’s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.

One problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.

GitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but “an unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.”

“For testing purposes they replaced it with a static value and forgot to change it back,” Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.”

While GitHub shouldn’t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. Marshal, a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.

As Fenske points out, documentation around Marshal.load says to “never pass untrusted data (including user supplied input) to this method,” but that’s what GitHub was doing.

By knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.

“Because the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,” Fenske said.

Fenske says that while he sells sugar wax for hair removal by day–seriously–he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and “the whole range” going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about a SQL injection he found in the platform.

“About two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,” Fenske said.

GitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.

It was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and a spot in its Hall of Fame.

​”Working with GitHub is really nice,” Fenske said, “For a company that big, their speed is amazing.”

The researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company announced the promotion, which stretched from January to February, to celebrate the third anniversary of its bug bounty program with HackerOne.

After he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and second place in the contest.

“I was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,”he said, “I did not know about that extra contest and was very pleasantly surprised.”

Fenske’s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.

Fenske said the latest release of GitHub Enterprise uses a secret that’s 16 random bytes written in hex.

“I quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it’s secure now.”

Suggested articles