One git command may cause you hacked ( CVE-2014-9390 Exploitation for Shell )

Hello

CVE-2014-9390 is one of the hilarious vulnerability I’ve ever seen. One single git  may cause you hacked! I won’t dive into the details of this vulnerability because of official announcements can be found here ( https://github.com/blog/1938-git-client-vulnerability-announced and http://article.gmane.org/gmane.linux.kernel/1853266 ) . In short, if you use case insensitive operating system like Windows or OSX you have to update your git client, do it right now! Otherwise attackers can insert their own pre hooks into your git directory.

Let’s analyze this vulnerability from penetration tester perspective.

Preparations

I’ve created a new project named as CVE-2014-9390 . 

git1

Lets create .GiT ( upper G, lower i then upper T ) folder and create vulnerable.txt file under that directory then push it to the project.

Lets pull same project into the Windows machine with vulnerable git client!

Let me show you orginal .git folder. You will see vulnerable.txt is located here!!!!! it should be located under the .GiT folder instead of .git .

gitpoc

Cool!

Exploitation

I will use git hooks in order to use this vulnerability.

What is Git hooks ?

Like many other Version Control Systems, Git has a way to fire off custom scripts when certain important actions occur. There are two groups of these hooks: client-side and server-side. Client-side hooks are triggered by operations such as committing and merging,

which is really useful to execute custom client side scripts when git command  ( such as git pull, git checkout ) executed by client.

How do I implement Git hooks?

Overwrite one of the scripts in .git/hooks and make it executable. As you know we are able to create file under the .git directory via this vulnerability.

How to initiate reverse connection ?

Several different approach can be used for this purpose but I believe bash reverse connection is the most common and easiest way to support both OS ( OSX and Windows ) .

git bash

We are luck because of bash.exe  is already comes as a built-in feature from Git installation. Of course you can implement your own powershell scripts in order to target only Windows machines ( Calling powershell from git shell is not easy… for me at least.)

I’ve choose post-checkout hook because it one the most common git commands also it will be called when you call git clone command. Ofcourse you can choose whatever you want.

Let’s create “fake” git folder and create file named post-checkout . 

Now it’s time to setup our handler. Not a rocket science.

Cloning Repo

Let’s clone https://gitlab.com/mehmet/cve-2014-9390 repo.

gitshock clone

Everthing seem normal BUT…

gitshock exploit

That’s it.