Git is a popular, fast, and scalable distributed version control system that provides both high-level operations and full access to its internal features. Unfortunately, a recent vulnerability (CVE-2024-50349) has been discovered, which allows attackers to trick users into providing their credentials for trusted Git hosting sites by crafting URLs with malicious ANSI escape sequences. This blog post will dive into the details of this vulnerability, including code snippets, original references, and exploit details.

Exploit Details

When Git asks for credentials through a terminal prompt (i.e., without using any credential helper), it prints out the hostname for which the user is expected to provide a username and/or password. However, any URL-encoded parts have already been decoded at this stage and are printed as-is. This makes it relatively easy for attackers to craft URLs containing ANSI escape sequences, which the terminal interprets, causing confusion for the user. For example, if the user is expecting to enter their password for a legitimate Git hosting site, the attacker can manipulate the URL to seem like a trusted site while, in reality, they send the password to an untrusted site under their control.

Here's a simple code snippet that demonstrates the concept of ANSI escape sequences used in the vulnerability:

# Sample malicious URL
malicious_url = "https://example.git\x1B1;31m@evilsite.com/repo.git"

# Decoding URL-encoded parts, if any
decoded_url = urllib.parse.unquote(malicious_url)

# Printing decoded URL, with ANSI escape sequence causing confusion
print(decoded_url)

Patch and Recommendations

This vulnerability has been patched through commits 7725b81 and c903985, which are included in Git release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are strongly advised to upgrade their Git version to any of these patched versions to protect against this issue.

For users who are unable to upgrade their Git version, some precautions can be taken to reduce the risk of this vulnerability. Avoid cloning repositories from untrusted URLs, especially when using the --recursive flag, as this may expose you to the vulnerability.

Conclusion

CVE-2024-50349 is a critical vulnerability in Git that can lead to credential leakage through crafted URLs containing malicious ANSI escape sequences. Users are urged to upgrade their Git version to the latest patched versions and exercise caution when cloning from untrusted URLs.

Original References

1. [Git Security Advisory
2. Patch Commit - 7725b81
3. Patch Commit - c903985

Timeline

Published on: 01/14/2025 19:15:32 UTC
Last modified on: 01/21/2025 17:15:14 UTC