CVE-2017-8386: using the less command to bypass the git-shell limit-vulnerability warning-the black bar safety net

ID MYHACK58:62201786028
Type myhack58
Reporter 佚名
Modified 2017-05-11T00:00:00


git-shell git remote session on the introduction of a ssh tunnel, is a restricted shell. Its the basic idea behind is, in the ssh session limit to be able to execute the command, so that it can only execute git needs the appropriate command. git needs to execute the command as follows: git-receive-pack Business repository updates from the client. git-upload-pack Pushes repository updates to the client. git-upload-archive Pushes a repository archive to the client. In addition to the above several own command, the administrator can also through the shell script file or other executable file to provide a custom command. Since these customizations are completely custom, so here the main discussion that comes with command. If you are familiar with git, then you probably know most of the server will be the git Protocol is encapsulated in the SSH, HTTP/S[3]Protocol. This is because the git Protocol is based on a simple text Protocol[4], in the data transmission does not provide any authentication or protection mechanism. The usual practice is to use the SSH Protocol for repository write access control, because the SSH Protocol itself provides a variety of authentication mechanism and reliable encryption, low Protocol overhead. Using SSH drawback is that the beginning of the period SSH to the remote user with Shell access. And usually, the git user does not have shell access. In order to restrict connections, so that it is only able to access the repository, we need the original shell typical is the bash shell, or similar to replace for a more restricted shell. Mainframe vendors are usually their own achieve the above git commands. But you can also use the git developers with the shell the shell is limited to only allow the call to execute the whitelist command. Build process is very simple. Comparison of recommendations on the server the server creates a specific user, and use the git-shell command as The user's login shell[5]. Fig. Another way is to use SSH force command, is that you can for each client limit is dependent on the login process using the key, the latter will also introduce other ways. If the local repository set up remote access to the repository, the git push command essentially executes the following command: ssh git@remoteserver “git-receive-pack ‘/myrepository. git'” 008957d650a081a34bcbacdcdb5a94bddb506adfe8e0 refs/heads/develop report-status delete-refs side-band-64k quiet ofs-delta agent=git/2.1.4 003fbe8910f121957e3326c4fdd328ab9aabd05abdb5 refs/heads/master 00000000 If the two repository with the same commit, if the execution command is not in the whitelist and not listed above that comes with the command, nor in the home directory under git-shell-commands directory, then the error message prompt the command is not recognized. Since it is not an interactive shell, a typical command injection attack here does not apply. On the contrary, command line only separated by a space open(quotation marks contains the whole, and is execve implementation. The above situation, let me more to consider assignment Protocol processing of the binary file itself. git itself provides a help command for a specific command to open the help page(man page), as the init command: $ git help init GIT-INIT(1) Git Manual GIT-INIT(1)

NAME git-init - Create an empty Git repository or reinitialize an existing one [...] Some other commands can also be through the-help parameter to display the command corresponding to the help page, as shown below: $ git init --help GIT-INIT(1) Git Manual GIT-INIT(1)

NAME git-init - Create an empty Git repository or reinitialize an existing one [...] Similarly, this also applies to the git-receive-pack, git-upload-archive command. On the server run git-receive-pack-help command, as shown below: $ ssh git@remoteserver "git-receive-pack '--help'" GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1)

NAME git-receive-pack - Receive what is pushed into the repository [...] But how can I bypass to be able to execute the command limit? On most systems, if you use the man command opens the help page, man specification is parsed, rendering, and ANSI output is piped to the pager, usually less. So that we can scroll and search the help page, and with the terminal the terminal is strong and capacity is irrelevant. In addition to being a simple pager, the less command also has additional interactive features. It allows you to open the other file and read the output current is output to the log file in the current shell execution of system commands. You want to be able to take advantage of these features, the need in the interactive mode run the less command. In pty the available case, the interactive mode is available. Usually SSH connection to the server, pty is enabled, but running directly the command's pty is not available. Fortunately, we can force the ssh client to allocate a pty as long as the server side does not disable it, usually the server does not disable it. Run the example as follows: $ ssh-t git@remoteserver "git-receive-pack '--help'" GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1)

NAME git-receive-pack - Receive what is pushed into the repository Manual page git-receive-pack(1) line 1 (press h for help or q to quit) Now we can use the less command of the interactive features. The above recommendations of the establishment mode has a limit, that is due to the shell implementation of any course is in the current git-shell environment, before git-shell for ssh can execute command limitations also apply to this time to execute the command. Anyway, our limit can be read in the file, list the directory using tab completion, and the currently displayed result is output to the file if the able to control the portion of the file content, the role of the more

[1] [2] next