Gix-Transport Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in the gix-transport crate for Rust, affecting versions prior to 0.36.1. This vulnerability allows attackers to execute arbitrary commands by exploiting the way SSH clone URLs are processed. Specifically, the issue arises because the gix-transport crate does not properly sanitize the username portion of SSH URLs, enabling the injection of command-line options that are interpreted by the SSH program. As a result, attackers can execute commands with observable effects, such as launching applications or creating files, depending on the injected payload.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the user's system, with the potential for significant consequences depending on the nature of the executed commands.

Reproduction

To reproduce this vulnerability, first create a file in the current directory named 'configfile@example.com' containing a 'ProxyCommand' directive that includes a command with an observable side effect, such as opening a graphical application or writing to a file. Then, use the 'gix clone' command with an SSH URL that includes a username starting with a hyphen, which will be interpreted as an option by the SSH command. The injected command specified in the configuration file will then be executed, demonstrating the vulnerability.

Remediation

Users should update to gix-transport version 0.36.1 or later, where this vulnerability has been patched.