←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
349 points dgl | 1 comments | 08 Jul 25 17:48 UTC | HN request time: 0.605s | source
Show context
armchairhacker ◴[08 Jul 25 18:32 UTC] No.44502705[source]
> The result of all this, is when a submodule clone is performed, it might read one location from path = ..., but write out a different path that doesn’t end with the ^M.

How does this achieve “remote code execution” as the article states? How serious is it from a security perspective?

> I'm not sharing a PoC yet, but it is an almost trivial modification of an exploit for CVE-2024-32002. There is also a test in the commit fixing it that should give large hints.

EDIT: from the CVE-2024-32002

> Repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.

So a repository can contain a malicious git hook. Normally git hooks aren’t installed by ‘git clone’, but this exploit allows one to, and a git hook can run during the clone operation.

replies(5): >>44502770 #>>44502837 #>>44502889 #>>44503715 #>>44505808 #
1. dgl ◴[09 Jul 25 02:25 UTC] No.44505808[source]
I've adjusted that paragraph to make it more clear how writing a file can lead to code execution.