The CatInTheHat Attack uses a crafted input to exploit the popular /bin/cat software program. The software architecture suffers from a design pattern that enables leakage of sensitive information via arbitrary file content disclosure leveraging overt behaviors that exist when a file descriptor from open(2) is combined with use of the read(2) function.
You are affected if you use any UNIX-derived computing system, such as Ubuntu Linux, Red Hat Linux, Red Star OS, or macOS (even Linux releases prior to 1991). Installations of Microsoft Windows are unaffected as it is a commercial OS and not open source.
CVE-2021-M30W is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names managed by MITRE. Due to co-incident discovery among several teams of security researchers, multiple CVEs were assigned, but to prevent confusion going forward CVE-2021-M30W should be used.
Bugs in single software versions or libraries come and go and are patched by new versions. However this bug affects a huge number of devices and is caused by behaviors within POSIX libraries themselves, making it very difficult to fix. It should therefore be treated extremely seriously by all citizens of the world. Also migrating all enterprise systems to commercial OSes to avoid future security concerns with POSIX subsystems and open source software like /bin/cat may be a prudent security architecture decision for defense-in-depth.
The CatInTheHat Attack allows processes that are configured with privileges to write to the standard input buffer to inject characters into the shell subsystem and execute a crafted execution of the /bin/cat binary. This enables black hat hackers, DevOps teams, and rogue nation states to access confidential information such as password hashes, social security numbers, garbage files, and .rhost files.
Example exploit:
neo@z1on# cd;ls;cd;/bin/cat${IFS}/etc/shadow
root:$6$XE4EE1jk$EfhyiBYKZye2613yGGH26lREOrrbyDivVcRWi04I9fN2V.wM2Lcr5NbfR8KieBJ.Fn7K80GhxHTjtFeVWhxja1:0:14600:14:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
phcadmin:!!:17289:0:99999:7:::
docker run --rm -v "${PWD}:/src" returntocorp/semgrep --config s/daghan:catinthehatattack
We know that it is often difficult to get non-technical management and project managers to appreciate the risk of a security bug. Therefore we have designed premium merchandise to help market this attack:
Despite the name, this vulnerability actually has nothing to do with the award-winning 😾😾😾 research but we agree with their cat themed vulnerability marketing™.
No. Everything is vulnerable and the world is on fire. Just kidding, happy April 1st!
This was a joint industry-wide project involving thousands of companies and the CERT teams of multiple planets. This multi-planetary advisory project was led by the IncludeSec security research team with sense of humor support from companies such as r2c.
This joke site is a reaction to those who seek to publish security research in ways that are only focused on branding and aren't constructive towards the overall goal of helping developers secure systems. We encourage security researchers to continue their efforts revealing security mistakes, challenges, and concerns....but also want to encourage support for developers and defenders. Solutions and guidance on fixes are important!
Our message is: Don't just make a vuln logo, let's all work together to enable developers to make more secure software :-P