Gix — CraftedSignal Threat Feed

gix and gitoxide Submodule Path Traversal Vulnerability

hello@craftedsignal.io — Mon, 29 Jan 2024 12:00:00 +0000

A path traversal vulnerability has been identified in the gix and gitoxide libraries. The vulnerability stems from the lack of validation of submodule names extracted from the .gitmodules file. Specifically, these submodule names are used to construct file paths for accessing submodule Git directories. An attacker can craft a malicious .gitmodules file containing a submodule name with path traversal sequences (e.g., ../../../escaped-target.git). This allows the attacker to redirect state() and open() calls to an arbitrary repository outside the intended .git/modules directory. This can cause a vulnerable application using these libraries to operate on an unexpected repository, leading to potential security issues. The vulnerability affects gix versions prior to 0.83.0 and gitoxide versions up to and including 0.52.0.

Attack Chain

An attacker crafts a malicious .gitmodules file.
The malicious .gitmodules file contains a submodule name with path traversal sequences (e.g., ../../../escaped-target.git).
A vulnerable application using gix or gitoxide parses the malicious .gitmodules file.
The application extracts the unvalidated submodule name from the .gitmodules file.
The application constructs a file path to the submodule’s Git directory using the unvalidated name: /modules/.
Due to the path traversal sequences in the submodule name, the constructed path escapes the intended .git/modules directory.
The application calls state() or open() using the escaped path, which leads to an attacker-controlled repository.
The application performs operations (enumeration, inspection, etc.) on the attacker-chosen repository, potentially leading to information disclosure or other unexpected behavior.

Impact

The vulnerability can lead to repository confusion, where a vulnerable application operates on an unintended repository. While the report does not claim direct command execution, the redirection of repository access can have significant consequences. For example, if the application relies on submodule state for access control or other security-sensitive operations, an attacker could potentially bypass these checks by redirecting the application to a controlled repository. The number of victims and sectors affected depend on the adoption of the vulnerable gix and gitoxide libraries.

Recommendation

Upgrade to gix version 0.83.0 or later to patch the vulnerability.
Upgrade to a version of gitoxide later than 0.52.0, if available (or switch to gix).
Deploy the Sigma rule Detect Git Submodule Path Traversal in Configuration to identify potentially malicious .gitmodules files based on submodule name patterns.
Sanitize or validate submodule names before using them to construct file paths, as recommended in the advisory.
Monitor application logs for suspicious activity related to submodule operations, especially those involving unusual file paths.

gitoxide Arbitrary Command Execution via .gitmodules Bypass

hello@craftedsignal.io — Tue, 09 Jan 2024 18:00:00 +0000

A vulnerability exists in gitoxide’s gix_submodule::File::update() function, specifically in versions 0.31.0 to 0.82.0, that allows for arbitrary command execution. The vulnerability arises from an insufficient check on the origin of the update command specified in a .gitmodules file. An attacker can exploit this by pushing a new commit with a malicious update command in .gitmodules after the victim initializes the submodule. This bypasses the intended security guard, leading to potential remote command execution in downstream code that relies on Submodule::update() and trusts the safety of Update::Command(_). This issue is similar to CVE-2019-19604, highlighting the risk of unchecked commands in submodule configurations.

Attack Chain

An attacker creates a repository with a benign .gitmodules file, containing no update key.
A victim clones the attacker’s repository and runs git submodule init, which populates the .git/config file with submodule information (URL, active status), but not the update key.
The attacker pushes a new commit to the repository, adding a malicious update = ! line to the .gitmodules file (e.g., update = !touch /tmp/pwned).
The victim runs git pull to update their local repository, incorporating the attacker’s modified .gitmodules file. The .git/config file remains unchanged.
A gitoxide-based application calls Submodule::update() to determine the submodule update strategy.
The vulnerable gix_submodule::File::update function is called, which incorrectly validates the source of the update command.
The function checks that a submodule section with the same name exists in a non-.gitmodules source, but does not verify if the update value comes from that section, bypassing the intended security guard.
The attacker-controlled shell command from the .gitmodules file is executed, leading to arbitrary command execution.

Impact

The vulnerability allows an attacker to execute arbitrary commands on a system running gitoxide-based applications that utilize submodules. This could lead to complete system compromise, data exfiltration, or denial of service. Any tool, IDE plugin, or CI integration building submodule-update functionality on top of gix within the affected version range inherits this vulnerability. Successful exploitation depends on the vulnerable application’s trust in the output of Submodule::update() which determines the update strategy.

Recommendation

Upgrade to gix version 0.83.0 or later to patch the vulnerability (https://github.com/advisories/GHSA-f26g-jm89-4g65).
Implement additional validation and sanitization of submodule configurations, especially when handling Update::Command(_) from Submodule::update(), to prevent unintended command execution.
Deploy the Sigma rule below to detect potential exploitation attempts by monitoring for the execution of unexpected commands based on submodule configuration.