GitHub awards researcher $18,000 for remote code execution flaw discovery

The severe bug impacted GitHub Enterprise and could have given attackers the opportunity to hijack the management console.

Markus Fenske

GitHub has awarded a researcher $18,000 for disclosing a security flaw in GitHub Enterprise which could have lead to remote code execution.

According to independent German researcher Markus Fenske, the code repository awarded him the amount for disclosing a serious security vulnerability in GitHub Enterprise, an on-premise version of GitHub designed for businesses looking to collaborate on coding but retain strict control of permissions and access to projects.

In a blog post, Fenske said that GitHub Enterprise runs the same general code base as the original GitHub, but a combination of two bugs allowed him to break the management console and would theoretically allow attackers to execute code remotely, leading to everything from data theft to session hijacking.

The first bug was discovered after the security researcher downloaded the GitHub Enterprise VirtualBox image. Inside, there is a Ruby module which was easily cracked, allowing Fenske to get his hands on the deobfuscated management console code.

The weak console security was due to the use of a static secret to cryptographically sign the session cookie, rather than a randomly generated set of numbers, to sign the session.

GitHub admits that the static secret was originally intended for use in testing and development only, but "an unrelated change of file permissions prevented the intended session secret from being used."

If an attacker discovered this oversight, then they could forget a valid signature into Marshal.load, which deserializes the Ruby session. While this is still limited to 32 random bytes as a session ID, the first problem then leads to the second, which is the feeding of arbitrary data into the module since the valid signature is present.

"Unlike JSON, the Marshal format does not only allow hashes, arrays, and static types but also Ruby objects," the researcher said. "This allows remote code execution."

See also: GitHub secret key finder released to public

Fenske first disclosed the security issue to GitHub on January 26. The GitHub team then set about triaging the bugs and awarded the researcher $10,000 on January 31.

After patching the flaw through the release of GitHub Enterprise 2.8.7 in March, the code repository then awarded Fenske an additional $8,000 and a place in the GitHub Hall of Fame.

Speaking to ThreatPost, the researcher said the latest release of GitHub Enterprise uses a hex-based 16 random byte secret, and will also default to a randomly generated session secret if initial configurations are not found.

"I quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears)," Fenske said. "I think it's secure now."

Protecting the Core: Microsoft bug detectors offered bigger reward:

Protecting the Core: Microsoft bug detectors offered bigger reward
Show Comments