Git is the most popular open-source, distributed revision control system used by developers all around the world. It enables teams to collaborate on projects effectively and efficiently. One of the key features of Git is git shell, a restricted login shell facilitating Git's push/pull functionality via SSH.

Recently, a critical vulnerability (CVE-2022-39260) has been discovered in git shell that affects versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4. This vulnerability can lead to arbitrary heap writes, potentially allowing remote code execution on a victim's machine. This post will provide details about how this vulnerability can be exploited, as well as ways to mitigate its impact.

Vulnerability Details

In the git shell, the function responsible for splitting command arguments into an array improperly uses an int to represent the number of entries in the array. Due to this implementation, a malicious actor can intentionally overflow the return value, resulting in arbitrary heap writes. Furthermore, since the resulting array is passed to execv(), an attacker can leverage this attack to execute arbitrary code remotely on the victim's machine.

Code Snippet

Here's a code snippet that demonstrates the improper usage of int for representing the number of entries in an array:

int split_cmd_line(char **argv, char *line)
{
    // ... (code to process line)
    int argc = ;
    while (ptr != NULL)
    {
        argv[argc++] = ptr;
        ptr = strtok(NULL, " ");
    }
    // ... (code to return argc)
}

The Vulnerable Process

For a victim to be vulnerable to this attack, they must first grant access to the git shell as a login shell. Once the attacker has access to the git shell, they can carefully craft a command that exploits the vulnerability, potentially leading to arbitrary code execution.

Mitigation and Patch

To avoid this security issue, users are strongly encouraged to upgrade their Git installations to versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, or 2.37.4. These versions include a patch that fixes the vulnerability.

As a short-term workaround, users can opt to disable git shell access via remote logins, restricting potential attackers from exploiting the vulnerability.

- CVE-2022-39260 Git Advisory
- git/git Repository
- Git Official Website

Conclusion

Security vulnerabilities are common in software projects, particularly in widely-used projects like Git. Staying informed about these issues and applying recommended patches or workarounds in a timely manner is critical to maintaining a secure system. While this specific vulnerability requires granting access to git shell as a login shell, it serves as a reminder to always be cautious about the permissions granted to external users and the software you rely on.

Timeline

Published on: 10/19/2022 12:15:00 UTC
Last modified on: 11/16/2022 18:30:00 UTC