Full Report
The author got code access from a friend to some of the Mozilla infrastructure. They use SCM for version control, which is where the bug is at. pash appears to be a small shell that was used for handling SCM operations for hg.mozilla.org. One function allows users to clone private repos of a given user. The user controls some input being read via SSH. In particular, the user is completely user controlled. When checking to see if the user exists via ldap, the author thought they had LDAP injection at first. However, characters necessary for this were being filtered out. So, what can we do? When doing the processing, the filtration can be bypassed by injecting in nullbytes. The interpretation of the nullbyte will stop the processing within the filtering calls. It should be noted that the nullbyte is encoded and escaped for the LDAP syntax. However, when being used in the LDAP query, it's interpreted like normal. What does this mean? The filtering of the bad characters in the LDAP query can be bypassed to get LDAP injection. With the LDAP injection, we can trick the query to return true with our user but contain other malicious information. In particular, command injection can be done within the rest of this script, which assumed that no user could have malicious characters. To me, the filtering on the command should have been done no matter. You can't rely on valid users, as issues like this one may occur. I asked the author how they thought of this issue. The author said he was reading LDAP specifications, saw you can encode arbitrary bytes then just tried it on their local environment. To me, the takeaway is just trying lots of things and seeing the results of this with a good test env.
Analysis Summary
# Vulnerability: RCE via LDAP Truncation in Mozilla pash
## CVE Details
- **CVE ID**: Not explicitly assigned in the report (Mozilla Bugzilla ID: 1807621)
- **CVSS Score**: Estimated 8.8 (High) / 9.9 (Critical)
- **CWE**: CWE-90 (LDAP Injection), CWE-78 (OS Command Injection), CWE-158 (Improper Neutralization of Null Byte)
## Affected Systems
- **Products**: Mozilla `pash` (custom shell for Mercurial SSH operations)
- **Versions**: Legacy versions of `version-control-tools` (pre-December 2022)
- **Configurations**: Systems running `hg.mozilla.org` infrastructure utilizing `pash` for handling SCM operations via SSH.
## Vulnerability Description
The vulnerability exists in the `make_repo_clone` method of `pash`. The script takes user-controlled input (`source_user`) via an SSH prompt and passes it to an LDAP validation function, `is_valid_user`. While the function attempts to sanitize input by stripping characters like `(`, `)`, `'`, `"`, and `;`, it fails to account for encoded null bytes.
By injecting an encoded null byte (`\00`), an attacker can cause the LDAP query to truncate or terminate at the null byte during the server-side LDAP search. This allows the input to pass the "valid user" check while the remainder of the input string—containing malicious shell characters—is preserved. Because the script subsequently passes this "validated" string into a `run_command` function (which uses `sh_helper.py` to execute shell commands like `find`), it leads to OS Command Injection.
## Exploitation
- **Status**: PoC available; reported and fixed.
- **Complexity**: Medium (Requires authenticated access to the SSH SCM interface).
- **Attack Vector**: Network (via SSH).
## Impact
- **Confidentiality**: High (Access to private repositories and underlying server data).
- **Integrity**: High (Ability to modify code repositories or system files).
- **Availability**: High (Ability to execute arbitrary commands and disrupt services).
## Remediation
### Patches
- The vulnerability was reported to Mozilla on December 26, 2022. Users of the `version-control-tools` repository should ensure they are running the latest version of the `hgserver` components.
- Specific fixes involve better input validation and avoiding the use of shell-interpolated strings in `run_command`.
### Workarounds
- Disable the `clone` functionality within `pash` if not strictly required.
- Implement strict regex-based validation for user-supplied email addresses/usernames (e.g., `^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`).
## Detection
- **Indicators of Compromise**: Monitor SSH logs for unusual input containing `\00` or shell metacharacters (e.g., `|`, `;`, `$( )`) passed during interactive prompts.
- **Detection Methods**: Review LDAP logs for queries containing truncation characters or entries that do not match standard organizational schemas.
## References
- 0day.click Blog: hxxps://0day[.]click/recipe/pash/
- Mozilla Bugtracker (Private/Restricted): hxxps://bugzilla[.]mozilla[.]org/show_bug.cgi?id=1807621
- Mozilla Version Control Tools: hxxps://hg[.]mozilla[.]org/hgcustom/version-control-tools/