uniget Command Injection Vulnerability Leading to Arbitrary Code Execution

A command injection vulnerability allowing arbitrary code execution has been identified in uniget, a universal installer and updater for container tools. This vulnerability exists in versions through 0.27.0, with the issue arising from the unsafe execution of the 'check' field in metadata files using '/bin/bash -c'. The 'check' field is loaded directly from untrusted JSON metadata without any validation or sanitization, enabling attackers to craft malicious metadata that executes arbitrary shell commands on the victim's system. This exploitation occurs during common uniget operations such as describe, install, update, or inspect. The vulnerability can be exploited to execute arbitrary code with the privileges of the user running uniget.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, with potential consequences including unauthorized access to sensitive files or environment variables, installation of malware or backdoors, modification or deletion of files, establishment of persistence on the machine, and compromise of CI/CD environments using uniget automation.

Reproduction

To reproduce this vulnerability, first verify that the uniget binary is vulnerable by checking the version. Then, create a malicious metadata cache that includes a crafted 'check' field designed to execute arbitrary commands. After setting up the malicious metadata, trigger the vulnerability by using the 'describe' command with the crafted tool name. This will execute the injected command, demonstrating the arbitrary code execution.

Remediation

Users are advised to update to uniget version 0.27.1 or later, where this vulnerability has been fixed.