{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/gix-fs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gix-fs (\u003c= 0.21.0)"],"_cs_severities":["high"],"_cs_tags":["symlink","worktree-escape","gitoxide","gix-fs","code-execution"],"_cs_type":"advisory","_cs_vendors":["rust"],"content_html":"\u003cp\u003eA critical vulnerability exists in the rust\u0026rsquo;s gix-fs library, specifically in versions 0.21.0 and earlier. This flaw allows a malicious actor to craft a Git tree in such a way that, when checked out using gitoxide, an attacker-controlled symlink can be written into any directory on the file system where the user possesses write permissions. The vulnerability arises from the reuse of validated path prefixes during the checkout process, specifically when handling symlinks. Project Glasswing discovered this flaw, identified as CVE-2026-44471, which has the potential for privilege escalation and arbitrary code execution. The issue stems from how gix-fs handles symlinks during the checkout process, allowing malicious actors to bypass security checks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git tree containing a symlink entry (\u0026lsquo;a\u0026rsquo;) pointing to a sensitive directory (e.g., \u0026lsquo;.git/hooks\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker creates a directory entry (\u0026lsquo;a\u0026rsquo;) within the same tree, including a subtree with a symlink (e.g., \u0026lsquo;post-checkout\u0026rsquo;) pointing to a payload file (\u0026rsquo;../../payload\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eThe crafted Git tree is processed by \u003ccode\u003egix_index::State::from_tree()\u003c/code\u003e, which converts it into index entries (e.g., [\u0026ldquo;a\u0026rdquo; (SYMLINK), \u0026ldquo;a/post-checkout\u0026rdquo; (SYMLINK)]).\u003c/li\u003e\n\u003cli\u003eDuring the delayed symlink phase of the checkout process, the symlink \u0026lsquo;a\u0026rsquo; is created, linking to the target directory (e.g., \u0026lsquo;.git/hooks\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eWhen processing \u0026lsquo;a/post-checkout\u0026rsquo;, the validated prefix \u0026lsquo;a\u0026rsquo; is reused, bypassing intermediate directory checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esymlink()\u003c/code\u003e function resolves through the previously created symlink (\u0026lsquo;a\u0026rsquo;), leading to the creation of a symlink at the attacker-controlled location (e.g., \u0026lsquo;.git/hooks/post-checkout\u0026rsquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker places an executable payload file (\u0026lsquo;payload\u0026rsquo;) in the repository.\u003c/li\u003e\n\u003cli\u003eUpon triggering the \u0026lsquo;post-checkout\u0026rsquo; hook (e.g., via \u003ccode\u003egit checkout -b new-branch\u003c/code\u003e), the payload is executed, resulting in arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to create arbitrary symlinks in any directory the user has write access to. This can lead to arbitrary code execution, privilege escalation, and potential system compromise. By writing to sensitive locations like \u003ccode\u003e.git/hooks\u003c/code\u003e, attackers can establish persistence and execute malicious code whenever Git commands are run. The impact is significant, as it allows attackers to bypass standard security checks and gain unauthorized access to the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the \u003ccode\u003egix-fs\u003c/code\u003e library that addresses CVE-2026-44471 to prevent exploitation of the symlink vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for git processes creating symlinks in sensitive directories such as .git/hooks, using a detection rule focused on suspicious symlink creation.\u003c/li\u003e\n\u003cli\u003eImplement strict file integrity monitoring on critical system directories to detect unauthorized modifications, especially within \u003ccode\u003e.git\u003c/code\u003e directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-gix-symlink-escape/","summary":"A vulnerability in rust's gix-fs library (\u003c= 0.21.0) allows a malicious actor to construct a tree that, when checked out with gitoxide, permits writing an attacker-controlled symlink into any existing directory the user has write access to, potentially leading to code execution.","title":"gix-fs Symlink Prefix-Reuse Worktree Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-30-gix-symlink-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Gix-Fs","version":"https://jsonfeed.org/version/1.1"}