Critical vulnerabilities in the client and server side of Git allow remote code execution

Information security researcher Laël Cellier discovered two critical vulnerabilities in the client and server side of Git (CVE-2016-2324 and CVE ‑ 2016‑2315).

Using them, attackers can perform remote code execution. To do this, you need to create a repository with a tree of files with very long names, and then send the "push" to the remote vulnerable server or allow the vulnerable client to pull out.
')
Two errors leading to problems are contained in a function called path_name (), which is used to add the file name to the end of the path in the repository tree. The path and file name can be used by an attacker to run malicious code - to perform a successful attack, you need to overcome various defenses, such as ASLR, but you can do it.

This is how revision.c looked like for Git versions up to 2.7.0:

char *path_name(const struct name_path *path, const char *name) { const struct name_path *p; char *n, *m; int nlen = strlen(name); int len = nlen + 1; for (p = path; p; p = p->up) { if (p->elem_len) len += p->elem_len + 1; } n = xmalloc(len); m = n + len - (nlen + 1); strcpy(m, name); for (p = path; p; p = p->up) { if (p->elem_len) { m -= p->elem_len + 1; memcpy(m, p->elem, p->elem_len); m[p->elem_len] = '/'; } } return n; } 

Errors in the code lead to the possibility of integer overflow and buffer overflow.

In addition, Positive Technologies researchers managed to create a valid exploit. Vulnerability CVE-2016-1285 is the lack of validation of the field types of the RNDC control packet. A specially crafted package can cause assertion failure in the modules sexpr.c or alist.c. To conduct an attack, an unauthenticated attacker must be on a network from which named is allowed to receive control packets (the control section of the named.conf file).

Packets transmitted by a TCP transport have a field-value table structure in which various fields can be binary data, nested tables or lists.

Here is the code responsible for the lib / isccc / cc.c authorization check:

  _auth = isccc_alist_lookup(alist, "_auth"); if (_auth == NULL) return (ISC_R_FAILURE); if (algorithm == ISCCC_ALG_HMACMD5) hmac = isccc_alist_lookup(_auth, "hmd5"); else hmac = isccc_alist_lookup(_auth, "hsha"); if (hmac == NULL) return (ISC_R_FAILURE); 

The essence of the patch closing the vulnerability is to further check the result of the iscc_alist_lookup function:

For example, diff at this link :

  _auth = isccc_alist_lookup(alist, "_auth"); - if (_auth == NULL) + if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); 

The isccc_alist_alistp function performs additional checking of nested fields:
isccc_alist_alistp (isccc_sexpr_t * alist)

 { isccc_sexpr_t *car; if (alist == NULL || alist->type != ISCCC_SEXPRTYPE_DOTTEDPAIR) return (ISC_FALSE); car = CAR(alist); if (car == NULL || car->type != ISCCC_SEXPRTYPE_STRING) return (ISC_FALSE); if (strcmp(car->value.as_string, ALIST_TAG) != 0) return (ISC_FALSE); return (ISC_TRUE); } 

Problems remained unnoticed for several years - vulnerable versions of Git to 2.7.0, including branches 1.9 and 1.7. Both vulnerabilities were fixed in version 2.7.1, which was released in February 2016, but Git developers have not announced the correction of errors, so many users and administrators have not yet updated their systems.

Celle handed over information about the vulnerabilities he discovered to GitHub for which he received 5000 points as part of a bug bounty service program - such awards are given for finding extremely serious vulnerabilities.

In the future, a GitHub employee corrected errors and published a new version of Git 2.7.1, which was provided to corporate users, however, there were no separate announcements about this. GitLab also updated its software by implementing support for Git 2.7.3 , which contains fixes and other bugs.

Positive Technologies experts recommend that all users and administrators of Git-servers update the version of the software they use. Download the new version by the link .