GitHub Enterprise Server Privilege Escalation Vulnerability Granting Root SSH Access

A privilege escalation vulnerability has been identified in GitHub Enterprise Server, allowing an authenticated enterprise admin to gain root SSH access. This vulnerability arises from a symlink escape in pre-receive hook environments. By creating a malicious repository and environment, an attacker could replace system binaries during hook cleanup, executing a payload that added their SSH key to the root user's authorized keys, thereby granting root access. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.19 and was reported through the GitHub Bug Bounty program.

Impact

Exploitation of this vulnerability allows for unauthorized root SSH access on the server, potentially leading to full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated enterprise admin must create a repository with a pre-receive hook. During a hot patch upgrade, when dynamic ports are available, the admin can upload a malicious payload that exploits the symlink escape, replacing system binaries with ones that add their SSH key to the root user's authorized keys.

Remediation

GitHub Enterprise Server has released patches for this vulnerability in versions 3.14.19, 3.15.14, 3.16.10, 3.17.7, and 3.18.1.