BT

Git Vulnerability May Lead to Arbitrary Code Execution

| by Sergio De Simone Follow 18 Followers on Jun 03, 2018. Estimated reading time: 1 minute |

A flaw in Git submodule name validation makes it possible for a remote attacker to execute arbitrary code on developer machines. Additionally, an attacker could get access to portion of system memory. Both vulnerabilities have been already patched in Git 2.17.1, 2.16.4, 2.15.2, and other versions.

As reported by security researcher Etienne Stalmans, unpatched versions of Git do not validate submodule names, thus

A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system

Specifically, Git mirrors submodules inside the $GIT_DIR/modules directory under the directory whose named defined in $GIT_DIR/.gitmodules. By crafting the content of the .gitmodules file, it is thus possible to embed ../ into a submodule name to trick Git into writing the submodule outside of the repo. Coupled with a malicious post-checkout hook, this makes it possible to run malicious code immediately after cloning a repo.

The fix to this behaviour is enforcing some rules for submodule names which will make any non-compliant name to be ignored by Git. Basically, .. are not allowed, nor are symbolic links. This will make sure the submodule directory is not stored outside of $GIT_DIR.

Stalmans stated he could execute remote code on GitHub Pages exploiting this vulnerability, although no exploits in the wild have been reported.

The second patched vulnerability is specific to repos that use the NTFS file system and makes it possible to trick NTFS path sanity-checks so an attacker can read random memory contents.

The Git community has promptly provided fixes for both vulnerabilities in version 2.13.7 of Git, which have also been ported to 2.14.4, 2.15.2, 2.16.4, and 2.17.1. Furthermore, as an additional security level, those releases will reject pushes to repositories containing problematic .gitmodules files. This is meant to:

help hosting sites protect their customers with older clients by preventing malicious contents from spreading.

GitHub and other code hosting services have already patched their system.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT