Code-Vulnerability — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/code-vulnerability/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 18:00:00 +0000gitoxide Arbitrary Command Execution via .gitmodules Bypasshttps://feed.craftedsignal.io/briefs/2024-01-09-gitoxide-rce/Tue, 09 Jan 2024 18:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-gitoxide-rce/A vulnerability in gitoxide's `gix_submodule::File::update()` allows arbitrary command execution via a crafted `.gitmodules` file by incorrectly validating the source of the `update` command, enabling an attacker to inject malicious commands after a submodule has been initialized.A vulnerability exists in gitoxide’s gix_submodule::File::update() function, specifically in versions 0.31.0 to 0.82.0, that allows for arbitrary command execution. The vulnerability arises from an insufficient check on the origin of the update command specified in a .gitmodules file. An attacker can exploit this by pushing a new commit with a malicious update command in .gitmodules after the victim initializes the submodule. This bypasses the intended security guard, leading to potential remote command execution in downstream code that relies on Submodule::update() and trusts the safety of Update::Command(_). This issue is similar to CVE-2019-19604, highlighting the risk of unchecked commands in submodule configurations.

Attack Chain

  1. An attacker creates a repository with a benign .gitmodules file, containing no update key.
  2. A victim clones the attacker’s repository and runs git submodule init, which populates the .git/config file with submodule information (URL, active status), but not the update key.
  3. The attacker pushes a new commit to the repository, adding a malicious update = !<command> line to the .gitmodules file (e.g., update = !touch /tmp/pwned).
  4. The victim runs git pull to update their local repository, incorporating the attacker’s modified .gitmodules file. The .git/config file remains unchanged.
  5. A gitoxide-based application calls Submodule::update() to determine the submodule update strategy.
  6. The vulnerable gix_submodule::File::update function is called, which incorrectly validates the source of the update command.
  7. The function checks that a submodule section with the same name exists in a non-.gitmodules source, but does not verify if the update value comes from that section, bypassing the intended security guard.
  8. The attacker-controlled shell command from the .gitmodules file is executed, leading to arbitrary command execution.

Impact

The vulnerability allows an attacker to execute arbitrary commands on a system running gitoxide-based applications that utilize submodules. This could lead to complete system compromise, data exfiltration, or denial of service. Any tool, IDE plugin, or CI integration building submodule-update functionality on top of gix within the affected version range inherits this vulnerability. Successful exploitation depends on the vulnerable application’s trust in the output of Submodule::update() which determines the update strategy.

Recommendation

  • Upgrade to gix version 0.83.0 or later to patch the vulnerability (https://github.com/advisories/GHSA-f26g-jm89-4g65).
  • Implement additional validation and sanitization of submodule configurations, especially when handling Update::Command(_) from Submodule::update(), to prevent unintended command execution.
  • Deploy the Sigma rule below to detect potential exploitation attempts by monitoring for the execution of unexpected commands based on submodule configuration.
]]>highadvisorycode-vulnerabilityremote-code-executiongitoxide