ghsa-6rw3-3whw-jvjj
Vulnerability from github
Published
2022-04-22 20:13
Modified
2022-04-22 20:13
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Git LFS can execute a binary from the current directory on Windows
Details

Impact

On Windows, if Git LFS operates on a malicious repository with a ..exe file as well as a file named git.exe, and git.exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

Similarly, if the malicious repository contains files named ..exe and cygpath.exe, and cygpath.exe is not found in PATH, the ..exe program will be executed when certain Git LFS commands are run.

More generally, if the current working directory contains any file with a base name of . and a file extension from PATHEXT (except .bat and .cmd), and also contains another file with the same base name as a program Git LFS intends to execute (such as git, cygpath, or uname) and any file extension from PATHEXT (including .bat and .cmd), then, on Windows, when Git LFS attempts to execute the intended program the ..exe, ..com, etc., file will be executed instead, but only if the intended program is not found in any directory listed in PATH.

The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in PATH then Git LFS passes an empty string as the executable file path to the Go os/exec package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., .) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name . combined with any file extension from PATHEXT, executing the first one it finds.

(The reason ..bat and ..cmd files are not executed in the same manner is that, although the Go os/exec package tries to execute them just as it does a ..exe file, the Microsoft Win32 API CreateProcess() family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the cmd.exe command interpreter, passing the full set of command line arguments as parameters. These are unchanged from the command line arguments set by Git LFS, and as such, the intended program's name is the first, resulting in a command line like cmd.exe /c git, which then fails.)

Git LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in PATH rather than passing an empty string to the Go os/exec package in this case.

The bug in the Go os/exec package has been reported to the Go project and is expected to be patched after this security advisory is published.

Patches

The problem was introduced in v2.12.1 and is patched in v3.1.3 and v3.1.4. Users of affected versions should upgrade to v3.1.4.

Workarounds

There are no known workarounds at this time.

References

  • https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj
  • https://nvd.nist.gov/vuln/detail/CVE-2022-24826
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24826
  • https://github.com/git-lfs/git-lfs/releases/tag/v3.1.4
  • git-lfs/git-lfs@762ccd4a49

For more information

If you have any questions or comments about this advisory: * For general questions, start a discussion in the Git LFS discussion forum. * For reports of additional vulnerabilities, please follow the Git LFS security reporting policy.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/git-lfs/git-lfs/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/git-lfs/git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:13:21Z",
    "nvd_published_at": "2022-04-20T00:16:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code.  This does not affect Unix systems.\n\nSimilarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run.\n\nMore generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended program is not found in any directory listed in `PATH`.\n\nThe vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in `PATH` then Git LFS passes an empty string as the executable file path to the Go `os/exec` package, which contains a bug such that, on Windows, it prepends the name of the current working directory (i.e., `.`) to the empty string without adding a path separator, and as a result searches in that directory for a file with the base name `.` combined with any file extension from `PATHEXT`, executing the first one it finds.\n\n(The reason `..bat` and `..cmd` files are not executed in the same manner is that, although the Go `os/exec` package tries to execute them just as it does a `..exe` file, the Microsoft Win32 API `CreateProcess()` family of functions have an undocumented feature in that they apparently recognize when a caller is attempting to execute a batch script file and instead run the `cmd.exe` command interpreter, passing the full set of command line arguments as parameters.  These are unchanged from the command line arguments set by Git LFS, and as such, the intended program\u0027s name is the first, resulting in a command line like `cmd.exe /c git`, which then fails.)\n\nGit LFS has resolved this vulnerability by always reporting an error when a program is not found in any directory listed in `PATH` rather than passing an empty string to the Go `os/exec` package in this case.\n\nThe bug in the Go `os/exec` package has been reported to the Go project and is expected to be patched after this security advisory is published.\n\n### Patches\nThe problem was introduced in v2.12.1 and is patched in v3.1.3 and v3.1.4.  Users of affected versions should upgrade to v3.1.4.\n\n### Workarounds\nThere are no known workarounds at this time.\n\n### References\n* https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj\n* https://nvd.nist.gov/vuln/detail/CVE-2022-24826\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24826\n* https://github.com/git-lfs/git-lfs/releases/tag/v3.1.4\n* [git-lfs/git-lfs@762ccd4a49](https://github.com/git-lfs/git-lfs/commit/762ccd4a498f5c17723b91d56b9304434ada5540)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* For general questions, start a discussion in the Git LFS [discussion forum](https://github.com/git-lfs/git-lfs/discussions).\n* For reports of additional vulnerabilities, please follow the Git LFS [security reporting policy](https://github.com/git-lfs/git-lfs/blob/main/SECURITY.md).",
  "id": "GHSA-6rw3-3whw-jvjj",
  "modified": "2022-04-22T20:13:21Z",
  "published": "2022-04-22T20:13:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6rw3-3whw-jvjj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24826"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/git-lfs/git-lfs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Git LFS can execute a binary from the current directory on Windows"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.