Shulou(Shulou.com)05/31 Report--

How to implement arbitrary code execution in clone? for this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Overview of 0x00

Today, git and git for window have released the latest versions of Git 2.17.1 and Git for Windows 2.17.1, which are mainly used to solve a serious vulnerability in git: CVE-2018-11235.

The vulnerability allows execution of arbitrary code when running 'git clone-recurse-submodules' (or deprecated gi tclone-- recursive). A malicious repository can contain a .git modules submodule configuration file that points to the outside of the warehouse. When git clones such a repository, it is tricked into executing hook within the clone sub-module (not the .git directory) to implement arbitrary code execution.

0x01 bug detailed explanation

When the Git repository contains child modules, in order to compile project management, the warehouse structure of the child module can exist with the parent warehouse structure in the .git folder. The warehouse structure of a child module is usually stored in a folder with the same name as the child module, but the name of this folder can be configured by a file in the parent repository.

The problem version of git allows the configuration to include paths that do not necessarily belong to the .git directory. As a result, attackers can carefully design and create a parent repository with another Git repository as a folder within that parent repository. The repository can then be added to the parent warehouse as a child module. The location of the child module can be configured with a non-.git folder that points to the check-in repository within the parent repository itself.

When recursively clone the parent repository, Git examines the configured submodule and then looks for the location where the submodule library is stored. It will follow the local configuration of the parent warehouse and check it into the warehouse. The warehouse will be used to check out the sub-module, and any hook scripts that are checked into the warehouse will run because there is no filtering.

As a result, attackers can bundle this repository configuration with a malicious post-checkout script, and their code repository recursive clone executes immediately.

0x11 vulnerability affects 0x1101 Git custodian

Because, in practice, most people rely on managed service providers (such as Github) to store code, the service custodian simply stops the warehouse from spreading. It is reported that Visual Studio Team Services, GitLab and Github will actively block any repositories that try to set up git submodules outside the .git directory.

0x1102 Git client

Blocking malicious repositories in managed providers shuts down attack media sources, but it does not rule out other hosts and other malicious exploits (such as spoofing a github site). Therefore, it is recommended to upgrade the git client as soon as possible.

0x12 vulnerability detection

Checking for vulnerabilities is also very simple. You can check whether there is a problem with your git by using the following script:

Create a new temporary directory and run it:

Mkdir chongchongtemp & & cd chongchongtemp

Git init test & &\

Cd test & &\

Git update-index-- add-- cacheinfo 120000jue e69de29bb2d1d6434b8b29ae775ad8c2e48c5391recovery.gitmodules

Error: Invalid path '.gitmodules'

Fatal: git update-index:-- cacheinfo cannot add .gitmodules

Note: this command does not clone any repositories and does not execute any dangerous instructions.

If it is displayed as:

Error: Invalid path '.gitmodules'

Fatal: git update-index:-- cacheinfo cannot add .gitmodules

Your version is not affected by this vulnerability.

If your git is unprompted and you create an empty repository, there is something wrong with your version.

0x13 vulnerability resolution windows:

Obtain the latest version of Git for Windows (version 2.17.1) from gitforwindows.

MacOS

Apple publishes Git using Xcode, but does not have a regular update mechanism. Therefore, you need to use third-party package management for version upgrades. It is recommended that you use Homebrew Manager.

If you haven't already installed Homebrew, install it with the following command:

/ usr/bin/ruby-e "$(curl-fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

You can then use Homebrew to install and upgrade git:

Brew install git

Brew update git

Linux (Debian,Ubuntu)

If you are using a distribution of Ubuntu or Debian, there may be an update package released soon, please pay attention to the update.

Redhat,CentOS:

Sudo yum update git

Debian,Ubuntu:

Sudo apt-get update git

This is the answer to the question about how to implement arbitrary code execution in clone. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.