←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
349 points dgl | 1 comments | 08 Jul 25 17:48 UTC | HN request time: 0s | source
Show context
armchairhacker ◴[08 Jul 25 18:32 UTC] No.44502705[source]
> The result of all this, is when a submodule clone is performed, it might read one location from path = ..., but write out a different path that doesn’t end with the ^M.

How does this achieve “remote code execution” as the article states? How serious is it from a security perspective?

> I'm not sharing a PoC yet, but it is an almost trivial modification of an exploit for CVE-2024-32002. There is also a test in the commit fixing it that should give large hints.

EDIT: from the CVE-2024-32002

> Repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.

So a repository can contain a malicious git hook. Normally git hooks aren’t installed by ‘git clone’, but this exploit allows one to, and a git hook can run during the clone operation.

replies(5): >>44502770 #>>44502837 #>>44502889 #>>44503715 #>>44505808 #
beala ◴[08 Jul 25 18:54 UTC] No.44502889[source]
More information here (https://github.blog/open-source/git/git-security-vulnerabili...) on the new CVE:

> When reading a configuration value, Git will strip any trailing carriage return (CR) and line feed (LF) characters. When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on. When initializing a submodule whose path contains a trailing CR character, the stripped path is used, causing the submodule to be checked out in the wrong place.

> If a symlink already exists between the stripped path and the submodule’s hooks directory, an attacker can execute arbitrary code through the submodule’s post-checkout hook.

Along with a bunch of other git CVEs that are worth a look.

replies(2): >>44503945 #>>44511461 #
gitfan86 ◴[08 Jul 25 20:49 UTC] No.44503945[source]
This seems easy for GitHub to block
replies(1): >>44505630 #
kragen ◴[09 Jul 25 01:49 UTC] No.44505630[source]
It's not sufficient for GitHub to block it; plenty of Git repositories don't have anything to do with GitHub.
replies(2): >>44505779 #>>44511646 #
1. dgl ◴[09 Jul 25 02:18 UTC] No.44505779{3}[source]
Submodules can be any URL (and recursive), so for GitHub to block this totally would require them to crawl other forges (and some URLs could be private URLs, but GitHub likely can't tell that apart from an attacker who is just blocking GitHub). So the risk is GitHub could say they are blocking this and give a false sense of security.

Some previous bugs have resulted in validation added to git fsck, but because clone URLs can't change after the submodules are initialised that's not going to have any benefit here. (There were some defence-in-depth measures discussed, there's definitely a few things that can be improved here.)