Aandrew-me tgpt Command Injection Vulnerability in Update Handler

A command injection vulnerability has been identified in aandrew-me tgpt versions through 2.11.1 on Linux and macOS. The issue arises in the Update Handler component, specifically within the helper.Update function in helper.go. The vulnerability allows for arbitrary command execution by manipulating the executable path with shell metacharacters. Exploitation requires local access and user interaction.

Impact

Exploitation of this vulnerability allows for local command injection, where attacker-controlled commands can be executed with the privileges of the current user. In the context of an updater, this could be considered a high-severity issue, as it involves arbitrary command execution in a sensitive application component.

Reproduction

To reproduce this vulnerability, execute the tgpt application with the update command option, -u, from a path that includes shell metacharacters such as semicolons or hashes. The Update Handler will concatenate the executable path into a shell command and execute it via bash -c. This will result in the execution of injected commands, such as opening the calculator application, with the current user's privileges.

Remediation

Users are advised not to use bash -c with dynamically concatenated input. Instead, download or load any necessary scripts separately, pass executable paths as distinct arguments, and avoid shell parsing altogether. If shell usage is unavoidable, ensure to properly escape arguments while still prioritizing the avoidance of shell string construction.