Skip to content

Heap overflow in `git shell` leading to RCE

High
ttaylorr published GHSA-rjr6-wcq6-83p6 Oct 18, 2022

Package

No package listed

Affected versions

<= v2.30.5, v2.31.4, v2.32.3, v2.33.4, v2.34.4, v2.35.4, v2.36.2, v2.37.3, v2.38.0

Patched versions

>= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.1

Description

Impact

git shell is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. Typically git shell only allows executing receive-pack, upload-pack, or upload-archive, each followed by an arbitrary <argv> specified by the caller:

If $HOME/git-shell-commands exists and is a directory, however, then any script in that directory can be executed by name with user-provided arguments.

Before executing commands, git shell splits the given <argv> string into an array with split_cmdline(). This function improperly uses an int to represent the number of entries (argc) in the argv array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting argv array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine.

Note that a victim must first allow access to git shell as a login shell, and allow interactive mode by having the $HOME/git-shell-commands directory present in order to be vulnerable to this attack.

Patches

The problem has been patched in the versions published on 2022-10-18, going back to v2.30.6.

Workarounds

The most complete workaround is upgrading to the most recent patched version published.

If doing so is impractical, then disabling git shell access via remote logins is encouraged in the short-term. If git shell cannot be disabled as a login shell, then disabling its interactive mode by removing the git-shell-commands directory is encouraged.

Credit

Credit for finding the vulnerability goes to Kevin Backhouse of the GitHub Security Lab.

Severity

High

CVE ID

CVE-2022-39260

Weaknesses

No CWEs

Credits