CVE-2018-13396 in SourceTree
Summary
by MITRE
There was an argument injection vulnerability in Sourcetree for macOS from version 1.0b2 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/10/2020
The vulnerability CVE-2018-13396 represents a critical argument injection flaw within Atlassian Sourcetree for macOS that affected versions prior to 3.0.0. This security weakness specifically targeted the Git subrepositories functionality within Mercurial repositories, creating a pathway for malicious code execution when certain conditions were met. The vulnerability stems from improper handling of user-supplied input during Git operations within the Mercurial repository context, allowing attackers to inject arbitrary arguments that could be executed by the underlying Git system.
The technical implementation of this vulnerability falls under CWE-77 which defines improper neutralization of special elements used in a command. In the context of Sourcetree, when users interacted with Mercurial repositories that contained Git subrepositories, the application failed to properly sanitize or escape command-line arguments before passing them to Git processes. This occurs because Sourcetree constructs Git commands dynamically based on repository structure information, and when that information contains malicious input from a committed file or repository configuration, the system processes these unescaped arguments as part of the command execution flow.
The operational impact of this vulnerability extends beyond simple privilege escalation as it enables full code execution on the target system. An attacker with commit permissions to a Mercurial repository can craft a malicious commit that includes specially formatted repository metadata or file structures that, when processed by Sourcetree, result in arbitrary command injection. This attack vector is particularly dangerous because it leverages the legitimate Git functionality within Sourcetree, making the malicious behavior appear as normal repository operations. The attack follows the ATT&CK technique T1059.001 for command and scripting interpreter with specific focus on the execution of shell commands through Git subrepository handling.
The exploitation chain begins when an attacker commits a malicious payload to a Mercurial repository that contains Git subrepositories, then triggers Sourcetree's Git processing functionality. When the application encounters the crafted repository structure, it executes Git commands with the attacker-controlled arguments, potentially allowing for arbitrary code execution with the privileges of the user running Sourcetree. This vulnerability demonstrates how seemingly benign repository management tools can become attack vectors when proper input validation and sanitization are absent from the processing pipeline. Organizations using Sourcetree for macOS should immediately upgrade to version 3.0.0 or later to remediate this critical issue, as the vulnerability provides a direct path to system compromise without requiring additional attack vectors or elevated privileges beyond repository commit access. The security implications extend to any environment where Sourcetree is used for repository management, particularly in development environments where multiple developers have commit permissions to shared repositories.