Contact Us Get an assesment

Regarding the recently discovered RCE in Git

Regarding the recently discovered RCE in Git

Etienne Stalmans (@_staaldraad) recently discovered a Remote Code Execution vulnerability in the version-control software Git (CVE-2018-11235).

Regarding the recently discovered RCE in Git

Etienne Stalmans (@_staaldraad) recently discovered a Remote Code Execution vulnerability in the version-control software Git (CVE-2018-11235). Last Tuesday, May 29th, he tweeted about it, announcing that technical details would be published the following week.

I was intrigued by it and decided to investigate the issue. Casually, my colleague Pau Ochoa and me had been preparing an introductory Git talk for our “knowledge-sharing” workshops here at Ackcent (or Free Fridays, as we call them), and he suggested it would be cool to have a working Proof of Concept as a surprise for that session. That encouraged me to try and develop my own PoC as a challenge, based on the high-level information that had been published at that moment. Luckily, I succeed, and Pau and I were able to trick our colleagues into cloning a “malicious” repository during the workshop, printing out a funny warning in their shells.

I documented the whole process in a blog post of my own and, just after, I was informed by Etienne Stalmans himself that I had found a workaround for an edge case of the vulnerability that reproduces in Git 2.7.4 (the version I was testing on), believing it was the default case. He was even kind enough to mention my solution in his official blog post, which I highly recommend you to read, since it not only includes great technical detail, but also explains how he exploited the vulnerability to achieve code execution in GitHub Pages.

All in all, it was a great experience for me, and I’m very happy to have contributed, although minimally, with this little workaround that maybe others will encounter when trying to reproduce the exploit.

Remediation

Patches were issued for Git versions 2.13.7, 2.14.4, 2.15.2, 2.16.4 and 2.17.1. If you are not updated to these versions yet, general advice is to not clone recursively nor init submodules of untrusted repositories.

References