←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
358 points dgl | 1 comments | 08 Jul 25 17:48 UTC | HN request time: 0.205s | source
Show context
armchairhacker ◴[08 Jul 25 18:32 UTC] No.44502705[source]
> The result of all this, is when a submodule clone is performed, it might read one location from path = ..., but write out a different path that doesn’t end with the ^M.

How does this achieve “remote code execution” as the article states? How serious is it from a security perspective?

> I'm not sharing a PoC yet, but it is an almost trivial modification of an exploit for CVE-2024-32002. There is also a test in the commit fixing it that should give large hints.

EDIT: from the CVE-2024-32002

> Repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.

So a repository can contain a malicious git hook. Normally git hooks aren’t installed by ‘git clone’, but this exploit allows one to, and a git hook can run during the clone operation.

replies(5): >>44502770 #>>44502837 #>>44502889 #>>44503715 #>>44505808 #
beala ◴[08 Jul 25 18:54 UTC] No.44502889[source]
More information here (https://github.blog/open-source/git/git-security-vulnerabili...) on the new CVE:

> When reading a configuration value, Git will strip any trailing carriage return (CR) and line feed (LF) characters. When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on. When initializing a submodule whose path contains a trailing CR character, the stripped path is used, causing the submodule to be checked out in the wrong place.

> If a symlink already exists between the stripped path and the submodule’s hooks directory, an attacker can execute arbitrary code through the submodule’s post-checkout hook.

Along with a bunch of other git CVEs that are worth a look.

replies(2): >>44503945 #>>44511461 #
gitfan86 ◴[08 Jul 25 20:49 UTC] No.44503945[source]
This seems easy for GitHub to block
replies(1): >>44505630 #
kragen ◴[09 Jul 25 01:49 UTC] No.44505630[source]
It's not sufficient for GitHub to block it; plenty of Git repositories don't have anything to do with GitHub.
replies(2): >>44505779 #>>44511646 #
gitfan86 ◴[09 Jul 25 15:58 UTC] No.44511646[source]
You can always find edge cases in security. Someone somewhere is running Internet Explorer 10 but that doesn't mean Chrome fixing bugs doesn't dramatically reduce effectiveness of attacks
replies(2): >>44511939 #>>44512171 #
1. randomjoe2 ◴[09 Jul 25 16:27 UTC] No.44511939[source]
Someone using git without github isn't an edge case, it's the default