Follow @dawid_golunski ============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - https://exploitbox.io - CVE-2020-27955 - Release date: 04.11.2020 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE) II. BACKGROUND ------------------------- Git LFS "An open source Git extension for versioning large files Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server like GitHub.com or GitHub Enterprise." https://git-lfs.github.com/ --- Git "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. https://git-scm.com/ III. INTRODUCTION ------------------------- Git LFS (git-lfs)in versions <= 2.12 has a vulnerability that allows remote attackers to execute arbitrary code on the victim's Windows system if the victim simply clones the attacker's repository using common git version control tools which make use of git-lfs subsystem. Vulnerable tools include: - git - GitHub CLI (gh CLI) - GitHub Desktop - SourceTree and others, in their default configuration. IV. DESCRIPTION ------------------------- Git LFS does not specify a full path to git binary when executing a new git process via the following ExecCommand() function: ------------[ git-lfs - subprocess/subprocess_windows.go ]---------- ... func ExecCommand(name string, arg ...string) *Cmd { cmd := exec.Command(name, arg...) cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} cmd.Env = fetchEnvironment() return newCmd(cmd) } ... -------------------------------------------------------------------- As the exec.Command() implementation on Windows systems include the current directory, attackers may be able to plant a backdoor in a malicious repository by simply adding an executable file named: git.bat, git.exe, git.cmd or any other extension that is used on the victim's system (PATHEXT environment dependent), in the main repo's directory. As a result, the malicious git binary planted in this way will get executed instead of the original git binary located in a trusted path. V. PROOF OF CONCEPT ------------------------- The most basic version of the git-lfs extension PoC exploit may be prepared with the following steps: 1. Open powershell 2. Create a file named git.bat with the contents: echo echo "git.bat executed, vulnerable" > exploited 3. Run the command: git-lfs track If the system has a vulnerable git-lfs version installed, 'exploited' file should get created in the current directory. A git client PoC exploit showing how to achieve Remote Code Execution (RCE) on the target upon cloning a malicious repository ('git clone' command) can be found at: Git RCE via CVE-2020-27955 git-lfs vulnerability Demos for other git clients can be viewed at: Visual Studio Code / VS Git-LFS RCE Exploit CVE-2020-27955 GitKraken Git-LFS RCE Exploit CVE-2020-27955 SmartGit Git-LFS RCE Exploit CVE-2020-27955 GitHub Desktop Git-LFS RCE Exploit CVE-2020-27955 VI. BUSINESS IMPACT ------------------------- The vulnerability can lead to a full compromise of the victim's system as attackers can execute arbitrary commands remotely without the knowledge of the victim and the vulnerability is trivial to exploit. Due to the critical severity, affected users and product vendors should update to the latest git-lfs version as soon as possible. VII. SYSTEMS AFFECTED ------------------------- Applications using git with unpatched Git LFS (git-lfs) <= 2.12 on Windows systems (Windows Server 2019, Windows 10 Pro etc.). The following clients have been confirmed to be exploitable in their default configuration / installation: - Git for Windows - GitHub CLI (gh) - GitHub Desktop - SmartGit - SourceTree - Visual Studio Code - GitKraken There are likely many more. Some of the other popular clients / development IDEs are deemed to be affected as well as most clients IDEs install git with git-lfs extension by default: - Eclipse - fork - tig - GitExtensions - Magit - TortoiseGit - gmaster - GitAhead - Sublime Merge - Visual Studio - GitAtomic - Tower - git-cola Web applications / hosted repositories running on Windows which allow users to import their repositories from a URL may also be exposed to this vulnerability. VIII. SOLUTION ------------------------- This Remote Code Execution vulnerability was reported to git-lfs vendor who issued a patched version 2.12.1 on the official git-lfs website linked below. IX. REFERENCES ------------------------- git-lfs official website Git-lfs security advisory Git website Git advisory and PoC git-lfs exploit resulting in RCE on clone git-lfs -RCE exploit CVE-2020-27955 source-code (Go) PoC repository on GitHub with git-lfs RCE CVE-2020-27955 exploit (bat/Powershell) PoC repository on GitHub with git-lfs RCE CVE-2020-27955 exploit (Go version) Git / GH CLI / Git-lfs PoC Video https://legalhackers.com https://ExploitBox.io X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://twitter.com/dawid_golunski https://ExploitBox.io https://twitter.com/Exploit_Box XI. REVISION HISTORY ------------------------- 04.11.2020 - Advisory released, rev. 1 XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. Follow @dawid_golunski
~~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~
ExploitBox.io
A Playground & Labs for security folks into hacking & the art of exploitation Follow @Exploit_Box ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<-- BACK TO legalhackers.com