Technical Advisory: Shell Injection in SourceTree
Vendor: Atlassian Vendor URL: http://atlassian.com Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: https://jira.atlassian.com/browse/SRCTREE-4481 Risk: Critical (reliable remote code execution)
SourceTree is a product for working with various types of code repositories.
SourceTree registers its own URL handler for
sourcetree:// URLs, which is vulnerable to shell command injection.
sourcetree:// URL handler
Attackers can execute arbitrary shell commands on computers running SourceTree 1.9.8 or earlier by getting a user to visit a malicious website or click a
SourceTree v1.9.8 and earlier are affected by a shell injection flaw in the handling of
sourcetree:// URLs. The
checkoutRef action uses the
cloneURL variable as part of a shell command without proper sanitization. It is possible to trigger this through a browser using a META refresh tag which redirects to a
Upgrade to the latest version of SourceTree.
2016-10-06 - Initial contact with Atlassian to request a security contact 2016-10-06 - Atlassian notes that it has a portal for reporting vulnerabilities and provides invites, as well as providing a PGP key 2016-10-12 - Provided Atlassian with a draft of this document and proof of concept exploit via email with PGP 2016-10-14 - Atlassian notes that the latest version of SourceTree, version 2.3.1, is not vulnerable 2016-10-20 - Asked Atlassian to confirm that we are OK to publish since the latest version is not vulnerable 2016-10-26 - Atlassian agrees but asks for a severity rating to ensure we publish with the same severity rating 2017-01-16 - Notified Atlassian that we identify the severity as critical 2017-01-16 - Atlassian asks us to notify them when we are going to release the advisory so they can coordinate their release 2017-02-15 - Notified Atlassian by email that we are preparing the advisory for release
Syndis – For discovering the bug
About NCC Group
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.