The 2nd of July 2024, Sonar
disclosed some unpatched RCE in
Gogs found by the
amazing swapgs, and it
sparked an interesting albeit pedantic discussion on an obscure IRC channel
somewhere on the internet that might be of interest to a broader
audience nerds.
The vulnerabilities in question are:
Argument Injection in the built-in SSH server (CVE-2024-39930, CVSS 9.9 Critical) Argument Injection when tagging new releases (CVE-2024-39933, CVSS 7.7 High) Argument Injection during changes preview (CVE-2024-39932, CVSS 9.9 Critical) Deletion of internal files (CVE-2024-39931, CVSS 9.9 Critical)
The proper nomenclature for the 3 first vulnerabilities isn't "remote code execution": an argument injection is a data-only attack, it typically only provides opportunities to (ab)use existing privileges, but not to escalade it. In our cases, it would be better to describe them as "arbitrary command execution", but not "code execution". Microsoft is using Arbitrary Code Execution (ACE) to disambiguate, I think it's pretty nice.
Another important distinction is that while the former can be effectively mitigated by access control policies like AppArmor, SELinux, Grsecurity's RBAC, OpenBSD's unveil … the latter usually results in the ability to execute arbitrary code, including arbitrary syscalls, opening the door to privilege escalation, and is much harder to mitigate, as seccomp is virtually unusable and the rest is usually too coarse-grained to be effective.
Have fun being pedantic next time the latest trendy RCE is discussed at the coffee machine.