Atheos Command Injection Vulnerability in Git Integration Allows Arbitrary Command Execution

A vulnerability in Atheos, a self-hosted cloud IDE, prior to version 6.0.4, allows for arbitrary command execution through improper use of `escapeshellcmd()` in the Git integration component. This flaw enables argument injection, which could lead to unauthorized access or server compromise. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise.

Impact

The vulnerability allows authenticated users to execute arbitrary commands on the server, potentially leading to a full server compromise. In a demonstrated exploitation, this vulnerability was used to execute commands that created files in the `/tmp` directory and established a reverse shell connection.

Reproduction

To reproduce this vulnerability, first initialize a Git repository using the Atheos IDE. Then, inject a command through the Git integration by exploiting the `git fetch` command. The `--upload-pack` argument can be used to execute arbitrary commands on the server. For example, to create a file in the `/tmp` directory, inject a command that uses the `touch` command to create a file. This can be done by sending a crafted request that includes the `--upload-pack` argument with the `git fetch` command.

Remediation

Users can update to Atheos version 6.0.4 or later, where this vulnerability has been addressed. In the patched version, the `Common::safe_execute` function sanitizes all arguments using `escapeshellarg()` before execution, and all components have been migrated to use this new execution method.