Jump to content
Nytro

Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE)

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted 

    __                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
           /____/                                                   


 <-- BACK TO legalhackers.com 





=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://exploitbox.io

- CVE-2020-27955
- Release date: 04.11.2020
- Revision 1.0
- Severity: Critical
=============================================


I. VULNERABILITY
-------------------------

Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE)


II. BACKGROUND
-------------------------

Git LFS

"An open source Git extension for versioning large files

Git Large File Storage (LFS) replaces large files such as audio samples, 
videos, datasets, and graphics with text pointers inside Git, while 
storing the file contents on a remote server like GitHub.com or GitHub 
Enterprise."

https://git-lfs.github.com/


---

Git

"Git is a free and open source distributed version control system designed to 
handle everything from small to very large projects with speed and efficiency.

https://git-scm.com/


III. INTRODUCTION
-------------------------


Git LFS (git-lfs)in versions <= 2.12 has a vulnerability that allows remote 
attackers to execute arbitrary code on the victim's Windows system if the
victim simply clones the attacker's repository using common git version 
control tools which make use of git-lfs subsystem.

Vulnerable tools include: 

- git
- GitHub CLI (gh CLI)
- GitHub Desktop
- SourceTree

and others, in their default configuration.



IV. DESCRIPTION 
-------------------------


Git LFS does not specify a full path to git binary when executing a new
git process via the following ExecCommand() function:


------------[ git-lfs - subprocess/subprocess_windows.go ]----------
...
    func ExecCommand(name string, arg ...string) *Cmd {
        cmd := exec.Command(name, arg...)
        cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
        cmd.Env = fetchEnvironment()
        return newCmd(cmd)
    }
...
--------------------------------------------------------------------

As the exec.Command() implementation on Windows systems include the
current directory, attackers may be able to plant a backdoor in a
malicious repository by simply adding an executable file named: 
git.bat, git.exe, git.cmd or any other extension that is used on the 
victim's system (PATHEXT environment dependent), in the main repo's directory.
As a result, the malicious git binary planted in this way will get executed 
instead of the original git binary located in a trusted path.


V. PROOF OF CONCEPT
-------------------------


The most basic version of the git-lfs extension PoC exploit may be prepared 
with the following steps:

1. Open powershell

2. Create a file named git.bat with the contents:

echo
echo "git.bat executed, vulnerable"  > exploited

3. Run the command:

git-lfs track


If the system has a vulnerable git-lfs version installed, 'exploited' file
should get created in the current directory.


A git client PoC exploit showing how to achieve Remote Code Execution (RCE) on the target 
upon cloning a malicious repository ('git clone' command) can be found at:

Git RCE via CVE-2020-27955 git-lfs vulnerability



Demos for other git clients can be viewed at:

Visual Studio Code / VS Git-LFS RCE Exploit CVE-2020-27955

GitKraken Git-LFS RCE Exploit CVE-2020-27955

SmartGit Git-LFS RCE Exploit CVE-2020-27955

GitHub Desktop Git-LFS RCE Exploit CVE-2020-27955


VI. BUSINESS IMPACT
-------------------------

The vulnerability can lead to a full compromise of the victim's system as
attackers can execute arbitrary commands remotely without the knowledge of the
victim and the vulnerability is trivial to exploit.

Due to the critical severity, affected users and product vendors should update 
to the latest git-lfs version as soon as possible.

 
VII. SYSTEMS AFFECTED
-------------------------

Applications using git with unpatched Git LFS  (git-lfs) <= 2.12 on Windows 
systems (Windows Server 2019, Windows 10 Pro etc.).

The following clients have been confirmed to be exploitable in their default
configuration / installation:

- Git for Windows

- GitHub CLI (gh)

- GitHub Desktop

- SmartGit

- SourceTree

- Visual Studio Code

- GitKraken


There are likely many more. Some of the other popular clients / development IDEs
are deemed to be affected as well as most clients IDEs install git with git-lfs
extension by default:

- Eclipse

- fork

- tig

- GitExtensions

- Magit

- TortoiseGit

- gmaster

- GitAhead

- Sublime Merge

- Visual Studio

- GitAtomic

- Tower

- git-cola


Web applications / hosted repositories running on Windows which allow users to
import their repositories from a URL may also be exposed to this vulnerability.


VIII. SOLUTION
-------------------------

This Remote Code Execution vulnerability was reported to git-lfs vendor who 
issued a patched version 2.12.1 on the official git-lfs website linked below. 



 
IX. REFERENCES
-------------------------

git-lfs official website

Git-lfs security advisory

Git website


Git advisory and PoC git-lfs exploit resulting in RCE on clone

git-lfs -RCE exploit CVE-2020-27955 source-code (Go)

PoC repository on GitHub with git-lfs RCE CVE-2020-27955 exploit (bat/Powershell)
PoC repository on GitHub with git-lfs RCE CVE-2020-27955 exploit (Go version)


Git / GH CLI / Git-lfs PoC Video


https://legalhackers.com

https://ExploitBox.io



X. CREDITS
-------------------------

Discovered by

Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com

https://ExploitBox.io

XI. REVISION HISTORY ------------------------- 04.11.2020 - Advisory released, rev. 1 XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. email3.png ~~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~ exploitbox_logo.png ExploitBox.io A Playground & Labs for security folks into hacking & the art of exploitation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <-- BACK TO legalhackers.com

 

Sursa; https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...