Vulnerability in Git: Execution of arbitrary commands
A new critical vulnerability has been discovered in CVE-2014-9390 in Git, allowing to execute arbitrary commands on the client.
The essence of the vulnerability is the ability to commit in .Git / config , which is equivalent to the service path .git / config on case-insensitive file systems. This makes it possible to initiate the launch of arbitrary commands on the client. In general, workstations on Windows and Mac OS X are vulnerable, and Linux systems will be affected if case-sensitive file systems are used.
According to the announcement in the linux-kernel list.
On Windows, certain paths can also be displayed in .git , for example, git ~ 1 / config gives access to .git / config . The HFS + file system can also provide access to this path when using Unicode characters, for example, .g \ u200cit / config . Such paths will now be deflected by Git on potentially vulnerable systems. On other systems, such as Linux, it is possible to deliberately enable similar system behavior to ensure cross-platform and overall security enhancements.
You can check for problems with git fsck .
Corresponding corrections have already been released:
')
Interestingly, exploitation of the vulnerability is not possible on GitHub. Employees of the company immediately after the appearance of information about the bug banned new malicious commits and checked all existing repositories for the presence of CVE-2014-9390 in them.
The essence of the vulnerability is the ability to commit in .Git / config , which is equivalent to the service path .git / config on case-insensitive file systems. This makes it possible to initiate the launch of arbitrary commands on the client. In general, workstations on Windows and Mac OS X are vulnerable, and Linux systems will be affected if case-sensitive file systems are used.
According to the announcement in the linux-kernel list.
Previously, we allowed commits in ".Git / config", but on case-insensitive file systems this would allow writing to ".git / config", which is definitely not the expected behavior of the program. From now on, Git prohibits the use of ".Git" (in any case) on the way.
On Windows, certain paths can also be displayed in .git , for example, git ~ 1 / config gives access to .git / config . The HFS + file system can also provide access to this path when using Unicode characters, for example, .g \ u200cit / config . Such paths will now be deflected by Git on potentially vulnerable systems. On other systems, such as Linux, it is possible to deliberately enable similar system behavior to ensure cross-platform and overall security enhancements.
You can check for problems with git fsck .
Corresponding corrections have already been released:
')
- GitHub for Windows and GitHub for Mac
- The git core team has released updates for all supported versions of git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).
- Git for Windows (aka MSysGit) has been updated to 1.9.5 .
- Popular libgit2 and jgit libraries have also been updated.
Interestingly, exploitation of the vulnerability is not possible on GitHub. Employees of the company immediately after the appearance of information about the bug banned new malicious commits and checked all existing repositories for the presence of CVE-2014-9390 in them.
Source: https://habr.com/ru/post/246377/
All Articles