A security researcher of Recurity Labs has found a bug in Git allowing to run arbitrary code on the server. Later on, he discovered identical vulnerabilities in SVN and Mercurial, two other version control systems (VCS).

On August 10, Hank Leininger, another researcher, reported the same flaw in CVS (Concurrent Versions System).

The first researcher, named Joern Schneeweis, was examining Git Large File Storage (LFS) when he found a remote code execution flaw in Git.

Git LFS is a project designed for storing large files in Git repositories with all benefits of cloud storage in general and Git itself in particular.

Configured by an “.lfsconfig” file inside the repository, it could be tricked by a crafted link like “url = ssh://-oProxyCommand=some-command”. Viewing it as a regular URL, Git would pass the link to SSH as is. The latter would, however, interpret it as an option and run “some-command” to establish a connection.

“So, arbitrary command execution was possible via a crafted repository for Git LFS clients, which clone the repository. This issue was disclosed to GitHub and has been resolved in a very quick fashion,” the researcher concludes in a corporate blog note.

Nevertheless, the flaw remained exploitable in another way, as Schneeweisz discovered mid July, after a two-month parental leave. E.g., the next command would run gnome-calculator:

$ git clone ssh://-oProxyCommand=gnome-calculator/wat
Cloning into 'wat'...
Pseudo-terminal will not be allocated because stdin is not a terminal.
ssh_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

As for an IT professional the link above would seem suspicious, a simple trick would be required:

“It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger,” Schneeweisz explains.

The researcher discovered that the same flaw is present in SVN and Mercurial, with the first being able to be tricked by a 301 HTTP redirect. It means, a benign-looking link could lead to a hacker-controlled server, which would covertly trick SVN into following a crafted one.

The flaw in CVS found by Leininger doesn’t appear very dangerous as the exploitation would be too obvious to someone using a version control system.

“Of course, the repo specification looks very odd, so tricking a victim may be harder than for SCM tools where it’s prefixed by an ssh:// or masked behind a redirect. Plus, first you would have find a victim,” he remarks.