Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of remote code execution vulnerabilities in GIT command line tool, which is very detailed and has certain reference value. Friends who are interested must finish it!

Problem description

By default, when Git clones a code base with submodules, it first clones the top level of the code base (the root directory), and then recursively clones the submodules. But when it does, it starts a new Git process from the top-level directory.

The cloning process is normal, and there is no visible indication that malicious binaries are running instead of the original git executable.

Since our first report was released in November 2020, Github has created a SafeExec library to mitigate the risk of inconsistent binary search sequences in Windows.

To recall briefly, Windows first checks to see if the given binary exists in the current folder, and only if the binary cannot be found will traverse the directory in the% PATH% environment variable until the target executable is found.

In the v1.2.1 version of gh, a safeexec.LookPath function was introduced to prevent remote code execution when cloning a new repository by abusing the Windows path search order.

After careful study, our security engineer Vitor Fernandes found a way to bypass it so that we could use it for remote code execution.

During the vulnerability discovery process, we found that remote code execution scenarios could still occur when fork had a new private repository. Because "git.exe config credential.namespace" is not called through the safeexec.LookPath function after the clone command is executed. Therefore, Windows will return to its default value and search for binaries in the current clone repository of git.exe files:

Here is the code in src/shared/Microsoft.Git.CredentialManager/CommandContext.cs:

We can see that at line 89, a new process is created to search for git.exe, and "Environment.LocateExecutable ('git.exe')" is passed to the GitProcess () function as a directory path parameter.

The following figure shows the code of the Environment.LocateExecutable () function:

/ src/shared/Microsoft.Git.CredentialManager/EnvironmentBase.cs

Code for the function environment.TryLocateExecutable:

When you use Windows's utility where.exe, it will return all files or commands that appear, including the values of% PATH% and the current directory.

Vulnerability exploitation

Here are the exploit steps for this vulnerability:

Create a new code base, or add files to an existing code base

Upload a Windows executable to this code base and rename it exe

Wait for the target user fork this code base

And then successfully got the Shell.

In the following example, we renamed calc.exe to git.exe and uploaded it to the target code library:

After the Fork code base and execute the "gh repo fork REPOSITORY_NAME-- clone" command, the target device will pop up the calculator program:

The above is all the contents of the article "example Analysis of remote Code execution vulnerabilities in GIT Command Line tools". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.