Saturday, June 22, 2024

Critical Git Vulnerability Let Attackers Execute Remote Code : PoC Published

A critical remote code execution vulnerability has been discovered in the git clone which was assigned with CVE-2024-32002 and the severity has been given as 9.0 (Critical).

This particular vulnerability existed in the clone command that is widely used. 

Git released a security advisory last week which stated that about a Remote Code Execution.

In addition to this, the vulnerability was described to be existing due to the submodules that can be drafted in a particular way that could result in remote code execution.

However, this vulnerability has been fixed by git and patched versions have been released. 

Vulnerability Analysis – CVE-2024-32002

According to the reports shared with Cyber Security News, git employs submodules which are repositories nested within other repositories.

Every submodule has a designated directory path within the main directory which is tracked for ensuring changes are recorded accurately. 

On observing further, it was discovered that there were case-insensitive filesystems in the default settings on Windows (A/modules/x) and macOS (a/modules/x).

Both of these paths are treated the same which is the main core reason behind the remote code execution. 

In addition to this, symlinks or symbolic links are file system objects that act as pointers to other files or directories.

However, this symlink can be used for referencing other parts of the repository making it exploitable for malicious purposes.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Source Code Analysis

As per the commit of the fix of this vulnerability, there were changes only to two files which were builtin/submodule–helper.c and t/ 

Git Commit (Source:

Additionally, the message on the commit indicated that “On case-insensitive filesystems, however, we blindly replace a directory that has been created as part of the clone operation with a symlink when the path to the latter differs only in case from the former’s path…..we must be careful not to follow symbolic links.

Otherwise we may follow a symbolic link pointing to a gitdir (which are valid symbolic links!) e.g. while cloning.”

builtin/submodule–helper.c file and t/

The change on this file contained the clone_submodule which handles the cloning process for submodules.

There was a new function dir_contains_only_dotgit which checks if a directory contains only a .git file or directory. 

Further, the clone_submodule was added with a Git check to determine whether the submodule directory exists or is empty.

In case of empty, the operation is aborted to avoid overwriting. Whereas the t/ is a test script that has multiple information like Global configuration, hook repository setup, and main repository setup.

Exploitation Of The RCE

With all the information, the root issue existed in the case-insensitive filesystems treating paths like A/modules/x and a/modules/x as identical.

To exploit this, a malicious symlink must be crafted within the submodule, which is named with a case variation of the submodule’s path, but at the end, it points to the .git/ directory.

When a victim clones the malicious repository, Git creates a directory for the submodule, which is supplied with a symlink that makes the malicious symlink to be replaced in the newly created directory.

If the script is crafted in a different way, it could lead to executing remote code on the vulnerable instance system. 

A proof of concept has been published by the researcher, which can be triggered using the following command:

git clone –recursive [email protected]:amalmurali47/git_rce.git

PoC on Windows (Source: GitHub/@amalmurali47)
PoC on Mac (Source: GitHub/@amalmurali47)

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles