A critical vulnerability (CVE-2024-38366) in the trunk.cocoapods.org, the authentication server behind the CocoaPods package manager, exposed the entire infrastructure to Remote Code Execution (RCE). Attackers could exploit improper shell command use in email verification, ultimately gaining root access and modifying any CocoaPods registry entry. This issue was patched in September 2023 with commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3.
Background: What is trunk.cocoapods.org?
CocoaPods is a very popular dependency manager for Swift and Objective-C projects. Trunk is its server-side service for user authentication and package publishing. For security, when a new user signs up, the server checks if their email address is real — including checking for a valid MX record (Mail Exchanger DNS record) for the domain.
Where Did It Go Wrong? Misusing Shell in RFC-822 Email Validation
The email validation in the code relies on an RFC-822 library. As part of validation, it checks the DNS MX (mail exchange) records for the email domain. Instead of using a safe internal DNS lookup, the library made a shell call to perform this lookup.
Here’s where it went off the rails: If the input passed to this lookup wasn’t properly sanitized, an attacker could craft a malicious email address so that the lookup command would actually run any shell command on the trunk server, as root.
Example snippet (Pseudocode)
def verify_email(email)
domain = email.split("@")[1]
# Vulnerable: system() call without sanitization!
mx_results = dig +short mx #{domain}
return !mx_results.empty?
end
If the domain portion of the email (the part after the “@”) is manipulated like this
attacker@evil-domain.com; cat /etc/passwd;
The shell command would become
dig +short mx evil-domain.com; cat /etc/passwd;
And just like that, the attacker can read system files, or even worse, plant backdoors.
Trigger MX Validation:
The server runs the unsanitized shell command, executing both the MX check and the attacker’s command.
Take Over CocoaPods:
With root access, an attacker could write or alter *any* Podspec in trunk’s database. This means they could publish or update widely-used packages with malicious code.
Full Compromise: Root-level shell access to trunk server
- Registry Poisoning: Ability to modify or publish to any package in the official CocoaPods repository
- User Session Reset: All trunk user sessions were forcibly reset after discovery, because all accounts could be impacted
- Supply Chain Risk: Millions of iOS/Swift/ObjC projects rely on CocoaPods — a compromise could impact the broader developer ecosystem
The Patch
The vulnerability was fixed swiftly after discovery in September 2023. The problematic shell invocation was removed or replaced with a safe DNS MX lookup function that did not use system shell calls.
Fix reference:
- commit 001cc3a430e75a16307f5fd6cdff1363ad2f40f3
Fixed code (Pseudocode)
require 'resolv'
def verify_email(email)
domain = email.split("@")[1]
mx_records = []
Resolv::DNS.open do |dns|
mx_records = dns.getresources(domain, Resolv::DNS::Resource::IN::MX)
end
return !mx_records.empty?
end
This uses Ruby’s internal DNS library rather than invoking a shell.
References
- CocoaPods trunk GitHub
- Vulnerable commit diff
- CocoaPods blog *(news may be posted here)*
- CVE Record: CVE-2024-38366
Lessons Learned
- Never trust input: Even if the input “looks like” an email address, never pass it directly to the shell.
- Don’t call shell tools unless necessary: Use language-native libraries for DNS, file I/O, or other actions.
- Review code for RCE paths in authentication/validation logic: Even apparently harmless features — like email validation — can be a vector for high-severity attacks.
If you use CocoaPods, always keep an eye out for registry and infrastructure updates. Supply chain security matters!
Timeline
Published on: 07/01/2024 21:15:03 UTC
Last modified on: 08/02/2024 04:04:25 UTC