Vulnerabilities > CVE-2014-9390 - Improper Input Validation vulnerability in multiple products
Summary
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Metasploit
description | This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. A second vulnerability with similar characteristics also exists in both Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where certain Unicode codepoints are ignorable. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows "short names" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work. |
id | MSF:EXPLOIT/MULTI/HTTP/GIT_CLIENT_COMMAND_EXEC |
last seen | 2020-05-20 |
modified | 2020-02-18 |
published | 2015-01-01 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/git_client_command_exec.rb |
title | Malicious Git and Mercurial HTTP Server For CVE-2014-9390 |
Nessus
NASL family Windows NASL id SMB_VISUAL_STUDIO_GIT.NASL description The version of Visual Studio installed on the remote host is affected by a command execution vulnerability when processing specially crafted git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user last seen 2020-06-01 modified 2020-06-02 plugin id 80333 published 2015-01-02 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80333 title Microsoft Visual Studio .git\config Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80333); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2014-9390"); script_bugtraq_id(71732); script_name(english:"Microsoft Visual Studio .git\config Command Execution"); script_summary(english:"Checks file versions."); script_set_attribute(attribute:"synopsis", value: "The remote host has an application installed that is affected by a command execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Visual Studio installed on the remote host is affected by a command execution vulnerability when processing specially crafted git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user's '.git/config' file when the user clones or checks out a repository, allowing arbitrary command execution."); # https://blogs.msdn.microsoft.com/bharry/2014/12/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b22459c0"); script_set_attribute(attribute:"see_also", value:"http://article.gmane.org/gmane.linux.kernel/1853266"); # http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afc47628"); script_set_attribute(attribute:"solution", value:"Apply the appropriate patches as recommended by Microsoft."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio"); script_set_attribute(attribute:"cpe",value:"cpe:/a:microsoft:visual_studio_team_foundation_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:git:git"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "microsoft_team_foundation_server_installed.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include('audit.inc'); include("smb_hotfixes.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); vs_2013_install_path_key = "SOFTWARE\Microsoft\VisualStudio\12.0\Setup\VS\ProductDir"; vs_2012_install_path_key = "SOFTWARE\Microsoft\VisualStudio\11.0\Setup\VS\ProductDir"; vs_2012_install_path = get_registry_value(handle:hklm, item:vs_2012_install_path_key); vs_2013_install_path = get_registry_value(handle:hklm, item:vs_2013_install_path_key); num_tfs_installs = get_kb_item("SMB/Microsoft_Team_Foundation_Server/NumInstalled"); RegCloseKey(handle:hklm); tfs_2013_found = FALSE; if(!isnull(num_tfs_installs)) for(i=0; i<num_tfs_installs; i++) if(get_kb_item("SMB/Microsoft_Team_Foundation_Server/" + i + "/Version") =~ "^12\.") tfs_2013_found = TRUE; if(isnull(vs_2012_install_path) && isnull(vs_2013_install_path) && !tfs_2013_found) audit(AUDIT_NOT_INST, "Microsoft Visual Studio 2012, 2013, or Team Foundation Server 2013"); vs_2012_vuln_users_info = ''; report = ''; if(!isnull(vs_2012_install_path)) { # check each user hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE); subkeys = get_registry_subkeys(handle:hku, key:''); foreach key (subkeys) { if ('.DEFAULT' >< key || 'Classes' >< key || key =~ "^S-1-5-\d{2}$") # skip built-in accounts continue; extensions = get_reg_name_value_table(handle:hku ,key:key + "\Software\Microsoft\VisualStudio\11.0\ExtensionManager\EnabledExtensions"); foreach ext (keys(extensions)) { if('microsoft.teamfoundation.git.provider' >< ext) { git_tools_path = extensions[ext]; if(hotfix_check_fversion(file: "git2-msvstfs.dll", version: "0.20.2", min_version: "0.20", path:git_tools_path) == HCF_OLDER) { vs_2012_vuln_users_info += '\n User SID : ' + key + '\n Extension path : ' + git_tools_path + '\n Unpatched DLL : git2-msvstfs.dll\n'; } } } } } RegCloseKey(handle:hku); # add to report if vulnerable extensions found if(vs_2012_vuln_users_info != '') { report += '\nThe following users have unpatched Visual Studio 2012 Git Tools\nExtensions : \n' + vs_2012_vuln_users_info; } # check VS 2013 Team Foundation Server if(tfs_2013_found) { tfs_2013_info = ''; for(i=0; i<num_tfs_installs; i++) { tfs_ver = get_kb_item("SMB/Microsoft_Team_Foundation_Server/" + i + "/Version"); if(tfs_ver !~ "^12\.0") continue; tfs_2013_install_path = get_kb_item("SMB/Microsoft_Team_Foundation_Server/" + i + "/Path"); # should never happen, but check just in case if(isnull(tfs_2013_install_path)) continue; ret = hotfix_get_fversion(path:hotfix_append_path(path:tfs_2013_install_path, value:"Application Tier\Web Services\bin\Microsoft.TeamFoundation.Git.Server.dll")); if (ret['error'] != HCF_OK) { hotfix_check_fversion_end(); audit(AUDIT_FN_FAIL, 'hotfix_get_fversion'); } git_ver = join(ret['value'], sep:'.'); if(git_ver =~ "^12\.0\.2\d{4}\." && ver_compare(fix:"12.0.22416.3", ver:git_ver, strict:FALSE) == -1) { tfs_2013_info += '\n Install Path : ' + tfs_2013_install_path + '\n Unpatched DLL : Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.Git.Server.dll' + '\n DLL Version : ' + git_ver + '\n Fixed Version : 12.0.22416.3' + '\n Required KB : KB3023302\n'; } else if(git_ver =~ "^12\.0\.3\d{4}\." && ver_compare(fix:"12.0.31115.1", ver:git_ver, strict:FALSE) == -1) { tfs_2013_info += '\n Install Path : ' + tfs_2013_install_path + '\n Unpatched DLL : Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.Git.Server.dll' + '\n DLL Version : ' + git_ver + '\n Fixed Version : 12.0.31115.1' + '\n Required KB : KB3023304 (with SP4)\n'; } } if(tfs_2013_info != '') { report += '\nThe following vulnerable Visual Studio Team Foundation Server 2013\nInstalls were found : \n' + tfs_2013_info; } } if(!isnull(vs_2013_install_path)) { vs_2013_info = ''; ret = hotfix_get_fversion(path:hotfix_append_path(path:vs_2013_install_path, value:"Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\git2-msvstfs.dll")); if (ret['error'] != HCF_OK) { hotfix_check_fversion_end(); audit(AUDIT_FN_FAIL, 'hotfix_get_fversion'); } git_ver = join(ret['value'], sep:'.'); if(ver_compare(fix:"0.20.2.0", ver:git_ver, strict:FALSE) == -1) { vs_2013_info = '\n Install Path : ' + vs_2013_install_path + '\n Unpatched DLL : Common7\\IDE\\CommonExtensions\\Microsoft\\TeamFoundation\\Team Explorer\\git2-msvstfs.dll' + '\n DLL version : ' + git_ver + '\n Fixed version : 0.20.2.0' + '\n Required KB : KB3023576\n'; } else if(git_ver =~ "^0\.20\.\d{5}\." && ver_compare(fix:"0.20.31212.0", ver:git_ver, strict:FALSE) == -1) { vs_2013_info = '\n Install Path : ' + vs_2013_install_path + '\n Unpatched DLL : Common7\\IDE\\CommonExtensions\\Microsoft\\TeamFoundation\\Team Explorer\\git2-msvstfs.dll' + '\n DLL version : ' + git_ver + '\n Fixed version : 0.20.31212.0' + '\n Required KB : KB3023577 (with SP4)\n'; } if(vs_2013_info != '') { report += '\nThe following vulnerable Visual Studio 2013 install was found : \n' + vs_2013_info; } } hotfix_check_fversion_end(); if(report != '') { port = kb_smb_transport(); if(report_verbosity > 0) security_warning(port:port, extra:report); else security_warning(port:port); } else audit(AUDIT_HOST_NOT, 'affected');
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-436.NASL description The git web frontend cgit was updated to 0.11.2 to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2014-9390: arbitrary command execution vulnerability on case-insensitive file systems in git. Malicious commits could affect client users on all platforms using case-insensitive file systems when using vulnerable git versions. In addition cgit was updated to 0.11.2 with minor improvements and bug fixes. The embedded git version was updated to 2.4.3. last seen 2020-06-05 modified 2015-06-23 plugin id 84335 published 2015-06-23 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84335 title openSUSE Security Update : cgit (openSUSE-2015-436) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-436. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(84335); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-9390"); script_name(english:"openSUSE Security Update : cgit (openSUSE-2015-436)"); script_summary(english:"Check for the openSUSE-2015-436 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The git web frontend cgit was updated to 0.11.2 to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2014-9390: arbitrary command execution vulnerability on case-insensitive file systems in git. Malicious commits could affect client users on all platforms using case-insensitive file systems when using vulnerable git versions. In addition cgit was updated to 0.11.2 with minor improvements and bug fixes. The embedded git version was updated to 2.4.3." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=910756" ); script_set_attribute(attribute:"solution", value:"Update the affected cgit packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cgit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cgit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cgit-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/12"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/23"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"cgit-0.11.2-11.3.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"cgit-debuginfo-0.11.2-11.3.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"cgit-debugsource-0.11.2-11.3.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"cgit-0.11.2-13.3.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"cgit-debuginfo-0.11.2-13.3.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"cgit-debugsource-0.11.2-13.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cgit / cgit-debuginfo / cgit-debugsource"); }
NASL family MacOS X Local Security Checks NASL id MACOSX_GITHUB_194.NASL description The remote Mac OS X host has a version of GitHub prior to 194 installed. It is, therefore, affected by a remote command execution vulnerability when processing git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user last seen 2020-06-01 modified 2020-06-02 plugin id 80220 published 2014-12-23 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80220 title GitHub < 1.9.4 .git/config Command Execution (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80220); script_version("1.8"); script_cvs_date("Date: 2018/07/14 1:59:36"); script_cve_id("CVE-2014-9390"); script_bugtraq_id(71732); script_name(english:"GitHub < 1.9.4 .git/config Command Execution (Mac OS X)"); script_summary(english:"Checks the version of GitHub."); script_set_attribute(attribute:"synopsis", value: "The remote host has an application installed that is affected by a remote command execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Mac OS X host has a version of GitHub prior to 194 installed. It is, therefore, affected by a remote command execution vulnerability when processing git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user's '.git/config' file when the user clones or checks out a repository, allowing arbitrary command execution."); # https://github.com/blog/1938-vulnerability-announced-update-your-git-clients script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ad68bb83"); script_set_attribute(attribute:"see_also", value:"http://article.gmane.org/gmane.linux.kernel/1853266"); # http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afc47628"); script_set_attribute(attribute:"solution", value:"Upgrade to version 1.9.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/23"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:github:github"); script_set_attribute(attribute:"cpe", value:"cpe:/a:git:git"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("macosx_github_installed.nbin"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "installed_sw/GitHub"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); appname = "GitHub"; install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE); path = install["path"]; ver = install["version"]; fix = '194'; # Versions are sequential. ver_compare() may be a little # silly for a single node, but it works. if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; security_warning(port:0, extra:report); } else security_warning(port:0); } else audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path);
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1D56727887A511E4879C000C292EE6B8.NASL description The Git Project reports : When using a case-insensitive filesystem an attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. If you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git. last seen 2020-03-18 modified 2014-12-22 plugin id 80148 published 2014-12-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80148 title FreeBSD : git -- Arbitrary command execution on case-insensitive filesystems (1d567278-87a5-11e4-879c-000c292ee6b8) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2020 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(80148); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26"); script_cve_id("CVE-2014-9390"); script_name(english:"FreeBSD : git -- Arbitrary command execution on case-insensitive filesystems (1d567278-87a5-11e4-879c-000c292ee6b8)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The Git Project reports : When using a case-insensitive filesystem an attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. If you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git." ); # https://github.com/blog/1938-git-client-vulnerability-announced script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1b80f9cd" ); script_set_attribute( attribute:"see_also", value:"http://article.gmane.org/gmane.linux.kernel/1853266" ); # https://vuxml.freebsd.org/freebsd/1d567278-87a5-11e4-879c-000c292ee6b8.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?875fb227" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:git"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/22"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"git<2.2.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-80.NASL description This update fixes the following security issue : - CVE-2014-9390: arbitrary command execution vulnerability on case-insensitive file system ( bnc#910756) last seen 2020-06-05 modified 2015-01-29 plugin id 81064 published 2015-01-29 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81064 title openSUSE Security Update : git (openSUSE-SU-2015:0159-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-80. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(81064); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-9390"); script_name(english:"openSUSE Security Update : git (openSUSE-SU-2015:0159-1)"); script_summary(english:"Check for the openSUSE-2015-80 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes the following security issue : - CVE-2014-9390: arbitrary command execution vulnerability on case-insensitive file system ( bnc#910756)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=910756" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2015-01/msg00083.html" ); script_set_attribute(attribute:"solution", value:"Update the affected git packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-arch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-core-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-cvs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-daemon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-daemon-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-email"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-remote-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-svn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-svn-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gitk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/12"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/29"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"git-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-arch-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-core-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-core-debuginfo-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-cvs-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-daemon-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-daemon-debuginfo-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-debugsource-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-email-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-gui-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-remote-helpers-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-svn-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-svn-debuginfo-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"git-web-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"gitk-1.8.4.5-3.8.4") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-arch-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-core-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-core-debuginfo-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-cvs-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-daemon-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-daemon-debuginfo-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-debugsource-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-email-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-gui-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-svn-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-svn-debuginfo-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"git-web-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"gitk-2.1.4-9.7") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-arch-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-core-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-core-debuginfo-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-cvs-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-daemon-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-daemon-debuginfo-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-debugsource-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-email-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-gui-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-svn-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-svn-debuginfo-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-web-2.1.4-9.6") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"gitk-2.1.4-9.6") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "git / git-arch / git-core / git-core-debuginfo / git-cvs / etc"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-288.NASL description libgit2 was updated to fix an arbitrary command execution vulnerability on case-insentitive file systems. The following vulnerability was fixed : - When using programs using libgit2 on case-insensitive filesystems, .git/config could be overwritten, which allowed execution of arbitrary commands (boo#925040, CVE-2014-9390). The configuration is uncommon as all default file systems on openSUSE are case sensitive. Additionally, on openSUSE 13.2 libgit2 was updated to version 0.21.5 to backport further critical fixes. last seen 2020-06-05 modified 2015-04-08 plugin id 82634 published 2015-04-08 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82634 title openSUSE Security Update : libgit2 (openSUSE-2015-288) NASL family Windows NASL id GITHUB_WIN_RCE.NASL description The version of GitHub for Windows installed on the remote host is prior to 2.6.5. It is, therefore, affected by a command execution vulnerability when processing specially crafted git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user last seen 2020-06-01 modified 2020-06-02 plugin id 80202 published 2014-12-22 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80202 title GitHub for Windows < 2.6.5 .git/config Command Execution NASL family Fedora Local Security Checks NASL id FEDORA_2014-17341.NASL description Fixes for CVE-2014-9390 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-30 plugin id 80298 published 2014-12-30 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80298 title Fedora 21 : eclipse-egit-3.5.3-1.fc21 / eclipse-jgit-3.5.3-1.fc21 (2014-17341) NASL family MacOS X Local Security Checks NASL id MACOSX_XCODE_GIT.NASL description The remote Mac OS X host has a version of Apple Xcode prior to 6.2 beta 3. It is, therefore, affected by a remote command execution vulnerability when processing git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user's '.git/config' file when the user clones or checks out a repository, allowing arbitrary command execution. This plugin has been deprecated. It detects Xcode installations vulnerable to CVE-2014-9390, and was created before Apple released a security update to fix this vulnerability. On March 9, 2015, a security update for Xcode has been released. The update fixes multiple vulnerabilities (including CVE-2014-9390). A separate plugin (ID 81758) has been created to detect that update. That plugin should be used instead of this one. last seen 2018-07-15 modified 2018-07-14 plugin id 80828 published 2015-01-19 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=80828 title Apple Xcode < 6.2 beta 3 .git/config Command Execution (Mac OS X) (deprecated) NASL family MacOS X Local Security Checks NASL id MACOSX_XCODE_6_2.NASL description The Apple Xcode installed on the remote Mac OS X host is prior to version 6.2. It is, therefore, affected by the following vulnerabilities : - Numerous errors exist related to the bundled version of Apache Subversion. (CVE-2014-3522, CVE-2014-3528, CVE-2014-3580, CVE-2014-8108) - An error exists related to the bundled version of Git that allows arbitrary files to be added to the .git folder. (CVE-2014-9390) last seen 2020-05-06 modified 2015-03-11 plugin id 81758 published 2015-03-11 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81758 title Apple Xcode < 6.2 (Mac OS X) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3257.NASL description Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command. last seen 2020-06-01 modified 2020-06-02 plugin id 83336 published 2015-05-12 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83336 title Debian DSA-3257-1 : mercurial - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201509-06.NASL description The remote host is affected by the vulnerability described in GLSA-201509-06 (Git: Arbitrary command execution) A vulnerability in Git causing Git-compatible clients that access case-insensitive or case-normalizing filesystems to overwrite the .git/config when cloning or checking out a repository, leading to execution of arbitrary commands. Impact : An attacker can execute arbitrary commands on a client machine that clones a crafted malicious Git tree. Workaround : There is no known workaround at this time. last seen 2020-03-18 modified 2015-09-25 plugin id 86137 published 2015-09-25 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86137 title GLSA-201509-06 : Git: Arbitrary command execution NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-19.NASL description The remote host is affected by the vulnerability described in GLSA-201612-19 (Mercurial: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mercurial. Please review the CVE identifier and bug reports referenced for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time. last seen 2020-03-18 modified 2016-12-07 plugin id 95605 published 2016-12-07 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95605 title GLSA-201612-19 : Mercurial: Multiple vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-169.NASL description Updated git packages fix security vulnerability : It was reported that git, when used as a client on a case-insensitive filesystem, could allow the overwrite of the .git/config file when the client performed a git pull. Because git permitted committing .Git/config (or any case variation), on the pull this would replace the user last seen 2020-06-01 modified 2020-06-02 plugin id 82422 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82422 title Mandriva Linux Security Advisory : git (MDVSA-2015:169) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0100-1.NASL description This update fixes the following security issue : - CVE-2014-9390: arbitrary command execution vulnerability on case- insensitive file system (bnc#910756) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2015-05-20 plugin id 83671 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83671 title SUSE SLES12 Security Update : git (SUSE-SU-2015:0100-1) NASL family Windows NASL id GIT_FOR_WINDOWS_1_9_5.NASL description The version of Git for Windows (also known as msysGit) installed on the remote host is prior to 1.9.5. It is, therefore, affected by a command execution vulnerability when processing specially crafted git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user last seen 2020-06-01 modified 2020-06-02 plugin id 80306 published 2014-12-30 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80306 title Git for Windows .git/config Command Execution NASL family Debian Local Security Checks NASL id DEBIAN_DLA-237.NASL description CVE-2014-9462 Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command. CVE-2014-9390 is a security vulnerability that affects mercurial repositories in a case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote code execution of a specially crafted repository. This is less severe for the average Debian installation as they are usually set up with case-sensitive filesystems. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-06-05 plugin id 83995 published 2015-06-05 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83995 title Debian DLA-237-1 : mercurial security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2470-1.NASL description Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain filesystem paths. A remote attacker could possibly use this issue to execute arbitrary code if the Git tree is stored in an HFS+ or NTFS filesystem. The remote attacker would need write access to a Git repository that the victim pulls from. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2015-01-14 plugin id 80517 published 2015-01-14 reporter Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80517 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : git vulnerability (USN-2470-1)
Packetstorm
data source | https://packetstormsecurity.com/files/download/129784/git_client_command_exec.rb.txt |
id | PACKETSTORM:129784 |
last seen | 2016-12-05 |
published | 2015-01-02 |
reporter | Jon Hart |
source | https://packetstormsecurity.com/files/129784/Malicious-Git-And-Mercurial-HTTP-Server-For-CVE-2014-9390.html |
title | Malicious Git And Mercurial HTTP Server For CVE-2014-9390 |
Seebug
bulletinFamily | exploit |
description | 参考来源: http://seclists.org/oss-sec/2016/q1/645 Hello, original report describing the overflow is here http://pastebin.com/UX2P2jjg >On 11/02/2016 16:50, Jeff King wrote this on the git security mailing list: >>On Thu, Feb 11, 2016 at 02:31:49PM +0100, 'Laël Cellier' via Git Security wrote: Ok the bug works by pushing or cloning a repository with a large filename or a large number of nested trees. [...] The point is affected versions are still shipped as part of many distributions as part of their stable branch, so I think it’s important to get a ᴄᴠᴇ for public awareness. >Yes, I do think versions below v2.7.0 have a heap overflow, as you mentioned. But I don't think that is the only problem with path_name(), even in the current version. > I'll repeat the code here (the version you posted was indented badly, and I had trouble reading it): ``` -- >8 -- char *path_name(const struct name_path *path, const char *name) { const struct name_path *p; char *n, *m; int nlen = strlen(name); int len = nlen + 1; for (p = path; p; p = p->up) { if (p->elem_len) len += p->elem_len + 1; } n = xmalloc(len); m = n + len - (nlen + 1); memcpy(m, name, nlen + 1); for (p = path; p; p = p->up) { if (p->elem_len) { m -= p->elem_len + 1; memcpy(m, p->elem, p->elem_len); m[p->elem_len] = '/'; } } return n; } -- 8< -- ``` > The problem you describe is one where the size of the allocation does not match what strcpy would write. And that's kind-of fixed by moving to memcpy() in 34fa79a6, because at least now the initial value of "len" matches the number of bytes we write (so that number might be totally bogus, but we don't write more than we allocate). > But "len" can also change after the fact, due to the loop. If you have a sequence of path components, each less than 2^31, they can sum to a much smaller positive value due to integer overflow (e.g., A/B/C with lengths A=2^31-5, B=2^31-5, C=20 would yield len=10). Then the buffer is too small to fit C, let alone all of the extra components we insert in the second loop. > The fix I came up with for this is to convert all of the "int" variables here to "size_t". That doesn't actually _fix_ the problem at all, but does mean on a 64-bit system that you need a 2^64-long path to trigger it, which is impractical. But that doesn't help 32-bit systems (though in practice, I wouldn't be surprised if we barf long before that, as we would be unable to hold the "struct name_path" list in memory). > Note that there is also a similar problem in tree-diff.c's path_appendnew(). There we build up the full pathname in a strbuf, which checks for overflow. But we then pass that length as an int and allocate a FLEX_ARRAY struct with it, which can end up too-small. This one is the more interesting of the two, I think, as it triggers via git-log, whereas the path_name() happens only during a repack (so it will hit you _eventually_, but probably not as soon as you've cloned). > My solution there was similar: use size_t, which at least means you'd have to allocate petabytes on a 64-bit system to trigger it (much less on a 32-bit system, but _probably_ you'd be saved by malloc failing first). > And that's why I dragged my feet on sending those fixes upstream; I don't think they're complete. The complete fix would be to use size_t consistently to store return values for strlen(), and to do integer overflow checks whenever we do computations on size_t. > Those of you on this list may recall I posted a series for the latter last year, but it was somewhat invasive. It may be worth resurrecting. > I think we could also get rid of path_name() entirely. The sole purpose at this point is to compute the name-hash for pack-objects, which could be done by walking the name_path list rather than re-constructing the whole thing in memory. > -Peff Of course everything Peff talked about above is now fixed in git 2.7.1 with the removal of path_name() and the size_t/overflow check in tree-diff.c. It was even fixed earlier for users of github enterprise. However, several months after the last message on this thread, I’m not aware of any Linux distribution that issued a fix for their stable branch. Last week I could contact wikimedia so they could fix their gerrit‑gc server. Bitbucket, GitLab still suffer from that issue (they even use a git version before git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 which is the easiest one to trigger because of strcpy() instead of memcpy() ). while it seems normal the ᴄᴠᴇ details are still unpublished, I definitely can’t deal with every major provider. People surely remember https://www.google.fr/search?tbm=nws&q=cve-2014-9390 breaking the news about a similar issue in that software (which allowed most distros to fix it quikcly). It seems while this threat is more widespread, it definitely lacks advertisement. So some Peoples suggested me to post about it here. |
id | SSV:91042 |
last seen | 2017-11-19 |
modified | 2016-03-16 |
published | 2016-03-16 |
reporter | Root |
title | Git 版本<=2.7.1 远程代码执行漏洞 |
References
- http://article.gmane.org/gmane.linux.kernel/1853266
- http://article.gmane.org/gmane.linux.kernel/1853266
- http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
- http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
- http://mercurial.selenic.com/wiki/WhatsNew
- http://mercurial.selenic.com/wiki/WhatsNew
- http://securitytracker.com/id?1031404
- http://securitytracker.com/id?1031404
- http://support.apple.com/kb/HT204147
- http://support.apple.com/kb/HT204147
- https://github.com/blog/1938-git-client-vulnerability-announced
- https://github.com/blog/1938-git-client-vulnerability-announced
- https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915
- https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915
- https://libgit2.org/security/
- https://libgit2.org/security/
- https://news.ycombinator.com/item?id=8769667
- https://news.ycombinator.com/item?id=8769667