14 DAY TRIAL // Joernchen of Phonoelit has identified and reported three GitHub vulnerabilities: an SSH Git remote command execution (RCE), a two-factor authentication (2FA) brute-force, and a MySQL typecasting authentication bypass. All of these vulnerabilities have been fixed by GitHub.
The MySQL typecasting authentication bypass issue was reported back in June 2013. However, the other two security holes are “fresh.” The 2FA bug was reported at the end of January and the RCE flaw on February 10.
Regarding the RCE vulnerability, GitHub noted, “Environment variables were being set based on key/value pairs being passed over HTTP from one backend service to another. By injecting metacharacters in user controlled values, an attacker would have been able to add arbitrary key/value pairs.”
The expert has demonstrated how this issue could have been exploited for arbitrary command execution.
“We addressed the vulnerability by stripping metacharacters from user controlled data before using it in environment variables. We have also performed a full audit of related code to ensure that there were no similar vulnerabilities,” GitHub said in its report.
As far as the 2FA vulnerability is concerned, Joernchen found that the number of two-factor authentication attempts were not limited, allowing an attacker to make unlimited guesses to determine the codes.
In order to address this problem, existing rate limiting has been expanded to include 2FA as well.
For his findings, GitHub has rewarded the expert with a total of 7,000 points, which puts him at the top of the leaderboard. Joernchen says he will donate part of the reward to OverTheWire and Das Labor.
On the GitHub bug bounty leaderboard, Joernchen is followed by Egor Homakov, who has managed to combine 5 low-severity issues into a critical one. He has been rewarded with 5,750 points ($4,000 / €2,935).