Saturday, January 25, 2025
HomeCyber Security NewsCritical Git Vulnerability Let Attackers Execute Remote Code : PoC Published

Critical Git Vulnerability Let Attackers Execute Remote Code : PoC Published

Published on

SIEM as a Service

Follow Us on Google News

A critical remote code execution vulnerability has been discovered in the git clone which was assigned with CVE-2024-32002 and the severity has been given as 9.0 (Critical).

This particular vulnerability existed in the clone command that is widely used. 

Git released a security advisory last week which stated that about a Remote Code Execution.

In addition to this, the vulnerability was described to be existing due to the submodules that can be drafted in a particular way that could result in remote code execution.

However, this vulnerability has been fixed by git and patched versions have been released. 

Vulnerability Analysis – CVE-2024-32002

According to the reports shared with Cyber Security News, git employs submodules which are repositories nested within other repositories.

Every submodule has a designated directory path within the main directory which is tracked for ensuring changes are recorded accurately. 

On observing further, it was discovered that there were case-insensitive filesystems in the default settings on Windows (A/modules/x) and macOS (a/modules/x).

Both of these paths are treated the same which is the main core reason behind the remote code execution. 

In addition to this, symlinks or symbolic links are file system objects that act as pointers to other files or directories.

However, this symlink can be used for referencing other parts of the repository making it exploitable for malicious purposes.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Source Code Analysis

As per the commit of the fix of this vulnerability, there were changes only to two files which were builtin/submodule–helper.c and t/t7406-submodule-update.sh. 

Git Commit (Source: Amalmurali.net)

Additionally, the message on the commit indicated that “On case-insensitive filesystems, however, we blindly replace a directory that has been created as part of the clone operation with a symlink when the path to the latter differs only in case from the former’s path…..we must be careful not to follow symbolic links.

Otherwise we may follow a symbolic link pointing to a gitdir (which are valid symbolic links!) e.g. while cloning.”

builtin/submodule–helper.c file and t/t7406-submodule-update.sh

The change on this file contained the clone_submodule which handles the cloning process for submodules.

There was a new function dir_contains_only_dotgit which checks if a directory contains only a .git file or directory. 

Further, the clone_submodule was added with a Git check to determine whether the submodule directory exists or is empty.

In case of empty, the operation is aborted to avoid overwriting. Whereas the t/t7406-submodule-update.sh is a test script that has multiple information like Global configuration, hook repository setup, and main repository setup.

Exploitation Of The RCE

With all the information, the root issue existed in the case-insensitive filesystems treating paths like A/modules/x and a/modules/x as identical.

To exploit this, a malicious symlink must be crafted within the submodule, which is named with a case variation of the submodule’s path, but at the end, it points to the .git/ directory.

When a victim clones the malicious repository, Git creates a directory for the submodule, which is supplied with a symlink that makes the malicious symlink to be replaced in the newly created directory.

If the script is crafted in a different way, it could lead to executing remote code on the vulnerable instance system. 

A proof of concept has been published by the researcher, which can be triggered using the following command:

git clone –recursive git@github.com:amalmurali47/git_rce.git

PoC on Windows (Source: GitHub/@amalmurali47)
PoC on Mac (Source: GitHub/@amalmurali47)

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

PayPal Fined $2 Million Fine For Violating Cybersecurity Regulations

The New York State Department of Financial Services (NYDFS) has imposed a $2 million...