CVE-2017-17536 in Phabricator
Summary
by MITRE
Phabricator before 2017-11-10 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a --config= or --debugger= substring.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/13/2019
The vulnerability identified as CVE-2017-17536 affects Phabricator versions prior to 2017-11-10 and represents a critical command injection flaw that arises from insufficient input validation within the Mercurial hg program integration. This issue stems from the web-based user interface failing to properly sanitize or block specific command-line flags when processing branch names, creating a pathway for remote attackers to execute arbitrary code on the affected system. The vulnerability specifically targets the interaction between Phabricator's web interface and the Mercurial version control system, where branch names are directly passed to the hg command without adequate filtering mechanisms.
The technical exploitation occurs when attackers craft branch names that begin with either --config= or --debugger= substrings, which are legitimate command-line arguments for the hg program. When these malicious branch names are processed through Phabricator's web UI, the system passes them directly to the underlying Mercurial command without proper sanitization. This behavior creates a command injection vulnerability where attackers can manipulate the hg command execution to run arbitrary shell commands, effectively bypassing normal access controls and potentially gaining full system control. The flaw operates at the intersection of input validation and command execution, where user-controllable data flows directly into system commands without proper escaping or filtering.
The operational impact of this vulnerability extends beyond simple code execution, as it allows attackers to perform a wide range of malicious activities including data exfiltration, system reconnaissance, privilege escalation, and persistent backdoor installation. Since the vulnerability is accessible through the web interface, attackers can exploit it remotely without requiring direct system access or authentication to the underlying Mercurial repository. This makes the attack surface particularly broad and the exploitation relatively straightforward for threat actors with basic knowledge of command injection techniques. The vulnerability essentially transforms the Phabricator web interface into a potential attack vector for arbitrary code execution, compromising the integrity and confidentiality of the entire system.
Mitigation strategies for CVE-2017-17536 primarily focus on updating to Phabricator version 2017-11-10 or later, which includes proper flag sanitization and input validation mechanisms. Organizations should also implement network-level restrictions to limit access to the Phabricator web interface, particularly to reduce the attack surface for remote exploitation. Additional defensive measures include monitoring for suspicious branch naming patterns in Mercurial repositories and implementing proper access controls to restrict who can create or modify branches within the system. This vulnerability aligns with CWE-77 and CWE-78 categories related to command injection, and maps to ATT&CK techniques involving command and control through web application interfaces. Security teams should also consider implementing web application firewalls to detect and block malicious branch name patterns that could be used to exploit this vulnerability.