Coordinated Disclosure Timeline
- 2020-12-17: Reported to security@jetbrains.com
- 2020-12-18: The issue will be investigated by JetBrains team
- 2021-02-02: JetBrains states that they have found an appropriate solution and have started implementing it.
- 2021-03-25: Requested status update from JetBrains.
- 2021-03-25: A fix was implemented in IntelliJ IDEA 2020.3.3, released on March 16, 2021
Summary
Upon cloning or checking out a Gradle project from an external repository (Get from VCS), both IntelliJ IDEA and Android Studio, run the gradle build task.
Products
- IntelliJ IDEA
- Android Studio
Tested Version
- IntelliJ IDEA 2020.3 (Community Edition)
Build #IC-203.5981.155, built on November 30, 2020
- Android Studio 4.1.1
Build #AI-201.8743.12.41.6953283, built on November 5, 2020
Details
Issue: Code execution when cloning/checking out a repository
When cloning or checking out a repository containing a Gradle project, Android Studio and IntelliJ will try to run the build task immediately without asking for a user confirmation that would give them the opportunity to analyze the build script.
If an attacker fools a developer into cloning or checking out a malicious repository, they will be able to run arbitrary code as part of the repository clone or checkout operation. For example, an attacker could hide a malware dropper using the Gradle’s Exec or try something more stealthy.
apply plugin: 'java'
sourceCompatibility = 1.8
targetCompatibility = 1.8
void checkRequirements(){
exec {
executable 'touch'
args '/tmp/pwned_from_gradle'
}
}
build{
checkRequirements();
}
When searching for similar patterns I found the exact same issue being discussed as a malware spread vector which highlights why this issue should be addressed. In addition a similar vulnerability (CVE-2020-17156) was recently fixed in MS Visual Studio.
Impact
Arbitrary Code Execution on repository cloning/checkout.
CVE
- CVE-2021-29263
Resources
https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021/
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-337, GHSL-2020-338 in any communication regarding this issue.