The 2nd of July 2024, Sonar
disclosed some unpatched RCE in
Gogs, and it
sparked an interesting albeit pedantic discussion on an obscure IRC channel
somewhere on the internet that might be of interest to a broader
audience nerds.
The vulnerabilities in question are:
> Argument Injection in the built-in SSH server (CVE-2024-39930, CVSS 9.9 Critical) Argument Injection when tagging new releases (CVE-2024-39933, CVSS 7.7 High) Argument Injection during changes preview (CVE-2024-39932, CVSS 9.9 Critical) Deletion of internal files (CVE-2024-39931, CVSS 9.9 Critical)
The proper nomenclature for the 3 first vulnerabilities isn’t “remote code execution”: an argument injection is a data-only attack, it typically only provides opportunities to (ab)use existing privileges, but not to escalade it. In our cases, it would be better to describe them as “arbitrary command execution”, but not “code execution”.
Another important distinction is that while the
former can be effectively mitigated by access control policies like
AppArmor,
SELinux, Grsecurity’s
RBAC, OpenBSD’s
unveil … the latter usually results in the
ability to execute arbitrary code, including arbitrary syscalls, opening the
door to privilege escalation, and is **much harder** to mitigate, as
seccomp is virtually unusable
and the rest is usually too coarse-grained to be effective.
Have fun being pedantic next time the latest trendy RCE is discussed at the coffee machine.