Vulnerabilities > CVE-2014-9390 - Improper Input Validation vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
git-scm
mercurial
apple
eclipse
libgit2
CWE-20
nessus
metasploit

Summary

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Vulnerable Configurations

Part Description Count
Application
Git-Scm
538
Application
Mercurial
64
Application
Apple
49
Application
Eclipse
30
Application
Libgit2
21
OS
Apple
1
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Metasploit

descriptionThis module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. A second vulnerability with similar characteristics also exists in both Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where certain Unicode codepoints are ignorable. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows "short names" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work.
idMSF:EXPLOIT/MULTI/HTTP/GIT_CLIENT_COMMAND_EXEC
last seen2020-05-20
modified2020-02-18
published2015-01-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/git_client_command_exec.rb
titleMalicious Git and Mercurial HTTP Server For CVE-2014-9390

Nessus

  • NASL familyWindows
    NASL idSMB_VISUAL_STUDIO_GIT.NASL
    descriptionThe version of Visual Studio installed on the remote host is affected by a command execution vulnerability when processing specially crafted git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user
    last seen2020-06-01
    modified2020-06-02
    plugin id80333
    published2015-01-02
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80333
    titleMicrosoft Visual Studio .git\config Command Execution
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80333);
      script_version("1.8");
      script_cvs_date("Date: 2018/11/15 20:50:28");
    
      script_cve_id("CVE-2014-9390");
      script_bugtraq_id(71732);
    
      script_name(english:"Microsoft Visual Studio .git\config Command Execution");
      script_summary(english:"Checks file versions.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has an application installed that is affected by a
    command execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Visual Studio installed on the remote host is affected
    by a command execution vulnerability when processing specially crafted
    git trees in a case-insensitive or case-normalizing file system. A
    remote attacker, using a specially crafted git tree, can overwrite a
    user's '.git/config' file when the user clones or checks out a
    repository, allowing arbitrary command execution.");
      # https://blogs.msdn.microsoft.com/bharry/2014/12/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b22459c0");
      script_set_attribute(attribute:"see_also", value:"http://article.gmane.org/gmane.linux.kernel/1853266");
      # http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afc47628");
      script_set_attribute(attribute:"solution", value:"Apply the appropriate patches as recommended by Microsoft.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:microsoft:visual_studio_team_foundation_server");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:git:git");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "microsoft_team_foundation_server_installed.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139, 445);
      exit(0);
    }
    
    include('audit.inc');
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    
    registry_init();
    
    hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    
    vs_2013_install_path_key = "SOFTWARE\Microsoft\VisualStudio\12.0\Setup\VS\ProductDir";
    vs_2012_install_path_key = "SOFTWARE\Microsoft\VisualStudio\11.0\Setup\VS\ProductDir";
    
    vs_2012_install_path = get_registry_value(handle:hklm, item:vs_2012_install_path_key);
    vs_2013_install_path = get_registry_value(handle:hklm, item:vs_2013_install_path_key);
    num_tfs_installs = get_kb_item("SMB/Microsoft_Team_Foundation_Server/NumInstalled");
    
    RegCloseKey(handle:hklm);
    
    tfs_2013_found = FALSE;
    if(!isnull(num_tfs_installs))
      for(i=0; i<num_tfs_installs; i++)
        if(get_kb_item("SMB/Microsoft_Team_Foundation_Server/" + i + "/Version") =~ "^12\.")
          tfs_2013_found = TRUE;
    
    if(isnull(vs_2012_install_path) && isnull(vs_2013_install_path) && !tfs_2013_found)
      audit(AUDIT_NOT_INST, "Microsoft Visual Studio 2012, 2013, or Team Foundation Server 2013");
    
    vs_2012_vuln_users_info = '';
    report = '';
    
    if(!isnull(vs_2012_install_path))
    {
      # check each user
      hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);
      subkeys = get_registry_subkeys(handle:hku, key:'');
    
      foreach key (subkeys)
      {
        if ('.DEFAULT' >< key || 'Classes' >< key ||
           key =~ "^S-1-5-\d{2}$") # skip built-in accounts
          continue;
    
        extensions = get_reg_name_value_table(handle:hku ,key:key + "\Software\Microsoft\VisualStudio\11.0\ExtensionManager\EnabledExtensions");
    
        foreach ext (keys(extensions))
        {
          if('microsoft.teamfoundation.git.provider' >< ext)
          {
            git_tools_path = extensions[ext];
    
            if(hotfix_check_fversion(file: "git2-msvstfs.dll",
                                     version: "0.20.2",
                                     min_version: "0.20",
                                     path:git_tools_path) == HCF_OLDER)
            {
              vs_2012_vuln_users_info += '\n   User SID : ' + key +
                                         '\n     Extension path : ' + git_tools_path + 
                                         '\n     Unpatched DLL  : git2-msvstfs.dll\n';
            }
          }
        }
      }
    }
    
    RegCloseKey(handle:hku);
    
    # add to report if vulnerable extensions found
    if(vs_2012_vuln_users_info != '')
    {
      report += '\nThe following users have unpatched Visual Studio 2012 Git Tools\nExtensions : \n' +
                vs_2012_vuln_users_info;
    }
    
    # check VS 2013 Team Foundation Server
    if(tfs_2013_found)
    {
      tfs_2013_info = '';
      for(i=0; i<num_tfs_installs; i++)
      {
        tfs_ver = get_kb_item("SMB/Microsoft_Team_Foundation_Server/" + i + "/Version");
        if(tfs_ver !~ "^12\.0") continue;
    
        tfs_2013_install_path = get_kb_item("SMB/Microsoft_Team_Foundation_Server/" + i + "/Path");
        # should never happen, but check just in case
        if(isnull(tfs_2013_install_path)) continue;
    
        ret = hotfix_get_fversion(path:hotfix_append_path(path:tfs_2013_install_path, value:"Application Tier\Web Services\bin\Microsoft.TeamFoundation.Git.Server.dll"));
        if (ret['error'] != HCF_OK)
        {
          hotfix_check_fversion_end();
          audit(AUDIT_FN_FAIL, 'hotfix_get_fversion');
        }
        git_ver = join(ret['value'], sep:'.');
    
        if(git_ver =~ "^12\.0\.2\d{4}\." &&
           ver_compare(fix:"12.0.22416.3", ver:git_ver, strict:FALSE) == -1)
        {
          tfs_2013_info += '\n  Install Path  : ' + tfs_2013_install_path +
                           '\n  Unpatched DLL : Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.Git.Server.dll' +
                           '\n  DLL Version   : ' + git_ver +
                           '\n  Fixed Version : 12.0.22416.3' +
                           '\n  Required KB   : KB3023302\n';
        }
        else if(git_ver =~ "^12\.0\.3\d{4}\." &&
                ver_compare(fix:"12.0.31115.1", ver:git_ver, strict:FALSE) == -1)
        {
          tfs_2013_info += '\n  Install Path  : ' + tfs_2013_install_path +
                           '\n  Unpatched DLL : Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.Git.Server.dll' +
                           '\n  DLL Version   : ' + git_ver +
                           '\n  Fixed Version : 12.0.31115.1' +
                           '\n  Required KB   : KB3023304 (with SP4)\n';
        }
      }
    
      if(tfs_2013_info != '')
      {
        report += '\nThe following vulnerable Visual Studio Team Foundation Server 2013\nInstalls were found : \n' +
                  tfs_2013_info;
      }
    }
    
    if(!isnull(vs_2013_install_path))
    {
      vs_2013_info = '';
    
      ret = hotfix_get_fversion(path:hotfix_append_path(path:vs_2013_install_path, value:"Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\git2-msvstfs.dll"));
    
      if (ret['error'] != HCF_OK)
      {
        hotfix_check_fversion_end();
        audit(AUDIT_FN_FAIL, 'hotfix_get_fversion');
      }
      git_ver = join(ret['value'], sep:'.');
    
      if(ver_compare(fix:"0.20.2.0", ver:git_ver, strict:FALSE) == -1)
      {
        vs_2013_info = '\n  Install Path  : ' + vs_2013_install_path +
                       '\n  Unpatched DLL : Common7\\IDE\\CommonExtensions\\Microsoft\\TeamFoundation\\Team Explorer\\git2-msvstfs.dll' +
                       '\n  DLL version   : ' + git_ver +
                       '\n  Fixed version : 0.20.2.0' +
                       '\n  Required KB   : KB3023576\n';
      }
      else if(git_ver =~ "^0\.20\.\d{5}\." &&
              ver_compare(fix:"0.20.31212.0", ver:git_ver, strict:FALSE) == -1)
      {
        vs_2013_info = '\n  Install Path  : ' + vs_2013_install_path +
                       '\n  Unpatched DLL : Common7\\IDE\\CommonExtensions\\Microsoft\\TeamFoundation\\Team Explorer\\git2-msvstfs.dll' +
                       '\n  DLL version   : ' + git_ver +
                       '\n  Fixed version : 0.20.31212.0' +
                       '\n  Required KB   : KB3023577 (with SP4)\n';
      }
    
      if(vs_2013_info != '')
      {
        report += '\nThe following vulnerable Visual Studio 2013 install was found : \n' +
                  vs_2013_info;
      }
    }
    
    hotfix_check_fversion_end();
    
    if(report != '')
    {
      port = kb_smb_transport();
      if(report_verbosity > 0)
        security_warning(port:port, extra:report);
      else security_warning(port:port);
    }
    else audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-436.NASL
    descriptionThe git web frontend cgit was updated to 0.11.2 to fix security issues and bugs. The following vulnerabilities were fixed : - CVE-2014-9390: arbitrary command execution vulnerability on case-insensitive file systems in git. Malicious commits could affect client users on all platforms using case-insensitive file systems when using vulnerable git versions. In addition cgit was updated to 0.11.2 with minor improvements and bug fixes. The embedded git version was updated to 2.4.3.
    last seen2020-06-05
    modified2015-06-23
    plugin id84335
    published2015-06-23
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84335
    titleopenSUSE Security Update : cgit (openSUSE-2015-436)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-436.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84335);
      script_version("2.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-9390");
    
      script_name(english:"openSUSE Security Update : cgit (openSUSE-2015-436)");
      script_summary(english:"Check for the openSUSE-2015-436 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The git web frontend cgit was updated to 0.11.2 to fix security issues
    and bugs.
    
    The following vulnerabilities were fixed :
    
      - CVE-2014-9390: arbitrary command execution vulnerability
        on case-insensitive file systems in git. Malicious
        commits could affect client users on all platforms using
        case-insensitive file systems when using vulnerable git
        versions.
    
    In addition cgit was updated to 0.11.2 with minor improvements and bug
    fixes.
    
    The embedded git version was updated to 2.4.3."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=910756"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cgit packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cgit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cgit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cgit-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/06/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/23");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"cgit-0.11.2-11.3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"cgit-debuginfo-0.11.2-11.3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"cgit-debugsource-0.11.2-11.3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"cgit-0.11.2-13.3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"cgit-debuginfo-0.11.2-13.3.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"cgit-debugsource-0.11.2-13.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cgit / cgit-debuginfo / cgit-debugsource");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_GITHUB_194.NASL
    descriptionThe remote Mac OS X host has a version of GitHub prior to 194 installed. It is, therefore, affected by a remote command execution vulnerability when processing git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user
    last seen2020-06-01
    modified2020-06-02
    plugin id80220
    published2014-12-23
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80220
    titleGitHub < 1.9.4 .git/config Command Execution (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80220);
      script_version("1.8");
      script_cvs_date("Date: 2018/07/14  1:59:36");
    
      script_cve_id("CVE-2014-9390");
      script_bugtraq_id(71732);
    
      script_name(english:"GitHub < 1.9.4 .git/config Command Execution (Mac OS X)");
      script_summary(english:"Checks the version of GitHub.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has an application installed that is affected by a
    remote command execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote Mac OS X host has a version of GitHub prior to 194
    installed. It is, therefore, affected by a remote command execution
    vulnerability when processing git trees in a case-insensitive or
    case-normalizing file system. A remote attacker, using a specially
    crafted git tree, can overwrite a user's '.git/config' file when the
    user clones or checks out a repository, allowing arbitrary command
    execution.");
      # https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ad68bb83");
      script_set_attribute(attribute:"see_also", value:"http://article.gmane.org/gmane.linux.kernel/1853266");
      # http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afc47628");
      script_set_attribute(attribute:"solution", value:"Upgrade to version 1.9.4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/23");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:github:github");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:git:git");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("macosx_github_installed.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "installed_sw/GitHub");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    appname = "GitHub";
    
    install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);
    path = install["path"];
    ver  = install["version"];
    
    fix = '194';
    
    # Versions are sequential. ver_compare() may be a little
    # silly for a single node, but it works.
    if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + ver +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_warning(port:0, extra:report);
      }
      else security_warning(port:0);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1D56727887A511E4879C000C292EE6B8.NASL
    descriptionThe Git Project reports : When using a case-insensitive filesystem an attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. If you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git.
    last seen2020-03-18
    modified2014-12-22
    plugin id80148
    published2014-12-22
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80148
    titleFreeBSD : git -- Arbitrary command execution on case-insensitive filesystems (1d567278-87a5-11e4-879c-000c292ee6b8)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80148);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");
    
      script_cve_id("CVE-2014-9390");
    
      script_name(english:"FreeBSD : git -- Arbitrary command execution on case-insensitive filesystems (1d567278-87a5-11e4-879c-000c292ee6b8)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The Git Project reports :
    
    When using a case-insensitive filesystem an attacker can craft a
    malicious Git tree that will cause Git to overwrite its own
    .git/config file when cloning or checking out a repository, leading to
    arbitrary command execution in the client machine. If you are a
    hosting service whose users may fetch from your service to Windows or
    Mac OS X machines, you are strongly encouraged to update to protect
    such users who use existing versions of Git."
      );
      # https://github.com/blog/1938-git-client-vulnerability-announced
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1b80f9cd"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://article.gmane.org/gmane.linux.kernel/1853266"
      );
      # https://vuxml.freebsd.org/freebsd/1d567278-87a5-11e4-879c-000c292ee6b8.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?875fb227"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:git");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/12/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/22");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"git<2.2.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-80.NASL
    descriptionThis update fixes the following security issue : - CVE-2014-9390: arbitrary command execution vulnerability on case-insensitive file system ( bnc#910756)
    last seen2020-06-05
    modified2015-01-29
    plugin id81064
    published2015-01-29
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81064
    titleopenSUSE Security Update : git (openSUSE-SU-2015:0159-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-80.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81064);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-9390");
    
      script_name(english:"openSUSE Security Update : git (openSUSE-SU-2015:0159-1)");
      script_summary(english:"Check for the openSUSE-2015-80 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes the following security issue :
    
      - CVE-2014-9390: arbitrary command execution vulnerability
        on case-insensitive file system ( bnc#910756)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=910756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2015-01/msg00083.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected git packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-arch");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-core-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-cvs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-daemon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-daemon-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-email");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-gui");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-remote-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-svn");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-svn-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:git-web");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gitk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/01/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/29");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"git-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-arch-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-core-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-core-debuginfo-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-cvs-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-daemon-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-daemon-debuginfo-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-debugsource-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-email-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-gui-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-remote-helpers-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-svn-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-svn-debuginfo-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"git-web-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"gitk-1.8.4.5-3.8.4") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-arch-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-core-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-core-debuginfo-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-cvs-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-daemon-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-daemon-debuginfo-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-debugsource-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-email-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-gui-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-svn-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-svn-debuginfo-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"git-web-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"gitk-2.1.4-9.7") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-arch-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-core-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-core-debuginfo-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-cvs-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-daemon-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-daemon-debuginfo-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-debugsource-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-email-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-gui-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-svn-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-svn-debuginfo-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"git-web-2.1.4-9.6") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"gitk-2.1.4-9.6") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "git / git-arch / git-core / git-core-debuginfo / git-cvs / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-288.NASL
    descriptionlibgit2 was updated to fix an arbitrary command execution vulnerability on case-insentitive file systems. The following vulnerability was fixed : - When using programs using libgit2 on case-insensitive filesystems, .git/config could be overwritten, which allowed execution of arbitrary commands (boo#925040, CVE-2014-9390). The configuration is uncommon as all default file systems on openSUSE are case sensitive. Additionally, on openSUSE 13.2 libgit2 was updated to version 0.21.5 to backport further critical fixes.
    last seen2020-06-05
    modified2015-04-08
    plugin id82634
    published2015-04-08
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82634
    titleopenSUSE Security Update : libgit2 (openSUSE-2015-288)
  • NASL familyWindows
    NASL idGITHUB_WIN_RCE.NASL
    descriptionThe version of GitHub for Windows installed on the remote host is prior to 2.6.5. It is, therefore, affected by a command execution vulnerability when processing specially crafted git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user
    last seen2020-06-01
    modified2020-06-02
    plugin id80202
    published2014-12-22
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80202
    titleGitHub for Windows < 2.6.5 .git/config Command Execution
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-17341.NASL
    descriptionFixes for CVE-2014-9390 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-12-30
    plugin id80298
    published2014-12-30
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80298
    titleFedora 21 : eclipse-egit-3.5.3-1.fc21 / eclipse-jgit-3.5.3-1.fc21 (2014-17341)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_XCODE_GIT.NASL
    descriptionThe remote Mac OS X host has a version of Apple Xcode prior to 6.2 beta 3. It is, therefore, affected by a remote command execution vulnerability when processing git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user's '.git/config' file when the user clones or checks out a repository, allowing arbitrary command execution. This plugin has been deprecated. It detects Xcode installations vulnerable to CVE-2014-9390, and was created before Apple released a security update to fix this vulnerability. On March 9, 2015, a security update for Xcode has been released. The update fixes multiple vulnerabilities (including CVE-2014-9390). A separate plugin (ID 81758) has been created to detect that update. That plugin should be used instead of this one.
    last seen2018-07-15
    modified2018-07-14
    plugin id80828
    published2015-01-19
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=80828
    titleApple Xcode < 6.2 beta 3 .git/config Command Execution (Mac OS X) (deprecated)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_XCODE_6_2.NASL
    descriptionThe Apple Xcode installed on the remote Mac OS X host is prior to version 6.2. It is, therefore, affected by the following vulnerabilities : - Numerous errors exist related to the bundled version of Apache Subversion. (CVE-2014-3522, CVE-2014-3528, CVE-2014-3580, CVE-2014-8108) - An error exists related to the bundled version of Git that allows arbitrary files to be added to the .git folder. (CVE-2014-9390)
    last seen2020-05-06
    modified2015-03-11
    plugin id81758
    published2015-03-11
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81758
    titleApple Xcode < 6.2 (Mac OS X)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3257.NASL
    descriptionJesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command.
    last seen2020-06-01
    modified2020-06-02
    plugin id83336
    published2015-05-12
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83336
    titleDebian DSA-3257-1 : mercurial - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201509-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201509-06 (Git: Arbitrary command execution) A vulnerability in Git causing Git-compatible clients that access case-insensitive or case-normalizing filesystems to overwrite the .git/config when cloning or checking out a repository, leading to execution of arbitrary commands. Impact : An attacker can execute arbitrary commands on a client machine that clones a crafted malicious Git tree. Workaround : There is no known workaround at this time.
    last seen2020-03-18
    modified2015-09-25
    plugin id86137
    published2015-09-25
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86137
    titleGLSA-201509-06 : Git: Arbitrary command execution
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201612-19.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201612-19 (Mercurial: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mercurial. Please review the CVE identifier and bug reports referenced for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time.
    last seen2020-03-18
    modified2016-12-07
    plugin id95605
    published2016-12-07
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95605
    titleGLSA-201612-19 : Mercurial: Multiple vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-169.NASL
    descriptionUpdated git packages fix security vulnerability : It was reported that git, when used as a client on a case-insensitive filesystem, could allow the overwrite of the .git/config file when the client performed a git pull. Because git permitted committing .Git/config (or any case variation), on the pull this would replace the user
    last seen2020-06-01
    modified2020-06-02
    plugin id82422
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82422
    titleMandriva Linux Security Advisory : git (MDVSA-2015:169)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0100-1.NASL
    descriptionThis update fixes the following security issue : - CVE-2014-9390: arbitrary command execution vulnerability on case- insensitive file system (bnc#910756) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2015-05-20
    plugin id83671
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83671
    titleSUSE SLES12 Security Update : git (SUSE-SU-2015:0100-1)
  • NASL familyWindows
    NASL idGIT_FOR_WINDOWS_1_9_5.NASL
    descriptionThe version of Git for Windows (also known as msysGit) installed on the remote host is prior to 1.9.5. It is, therefore, affected by a command execution vulnerability when processing specially crafted git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user
    last seen2020-06-01
    modified2020-06-02
    plugin id80306
    published2014-12-30
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80306
    titleGit for Windows .git/config Command Execution
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-237.NASL
    descriptionCVE-2014-9462 Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command. CVE-2014-9390 is a security vulnerability that affects mercurial repositories in a case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote code execution of a specially crafted repository. This is less severe for the average Debian installation as they are usually set up with case-sensitive filesystems. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-06-05
    plugin id83995
    published2015-06-05
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83995
    titleDebian DLA-237-1 : mercurial security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2470-1.NASL
    descriptionMatt Mackall and Augie Fackler discovered that Git incorrectly handled certain filesystem paths. A remote attacker could possibly use this issue to execute arbitrary code if the Git tree is stored in an HFS+ or NTFS filesystem. The remote attacker would need write access to a Git repository that the victim pulls from. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2015-01-14
    plugin id80517
    published2015-01-14
    reporterUbuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80517
    titleUbuntu 12.04 LTS / 14.04 LTS / 14.10 : git vulnerability (USN-2470-1)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/129784/git_client_command_exec.rb.txt
idPACKETSTORM:129784
last seen2016-12-05
published2015-01-02
reporterJon Hart
sourcehttps://packetstormsecurity.com/files/129784/Malicious-Git-And-Mercurial-HTTP-Server-For-CVE-2014-9390.html
titleMalicious Git And Mercurial HTTP Server For CVE-2014-9390

Seebug

bulletinFamilyexploit
description参考来源: http://seclists.org/oss-sec/2016/q1/645 Hello, original report describing the overflow is here http://pastebin.com/UX2P2jjg >On 11/02/2016 16:50, Jeff King wrote this on the git security mailing list: >>On Thu, Feb 11, 2016 at 02:31:49PM +0100, 'Laël Cellier' via Git Security wrote: Ok the bug works by pushing or cloning a repository with a large filename or a large number of nested trees. [...] The point is affected versions are still shipped as part of many distributions as part of their stable branch, so I think it’s important to get a ᴄᴠᴇ for public awareness. >Yes, I do think versions below v2.7.0 have a heap overflow, as you mentioned. But I don't think that is the only problem with path_name(), even in the current version. > I'll repeat the code here (the version you posted was indented badly, and I had trouble reading it): ``` -- >8 -- char *path_name(const struct name_path *path, const char *name) { const struct name_path *p; char *n, *m; int nlen = strlen(name); int len = nlen + 1; for (p = path; p; p = p->up) { if (p->elem_len) len += p->elem_len + 1; } n = xmalloc(len); m = n + len - (nlen + 1); memcpy(m, name, nlen + 1); for (p = path; p; p = p->up) { if (p->elem_len) { m -= p->elem_len + 1; memcpy(m, p->elem, p->elem_len); m[p->elem_len] = '/'; } } return n; } -- 8< -- ``` > The problem you describe is one where the size of the allocation does not match what strcpy would write. And that's kind-of fixed by moving to memcpy() in 34fa79a6, because at least now the initial value of "len" matches the number of bytes we write (so that number might be totally bogus, but we don't write more than we allocate). > But "len" can also change after the fact, due to the loop. If you have a sequence of path components, each less than 2^31, they can sum to a much smaller positive value due to integer overflow (e.g., A/B/C with lengths A=2^31-5, B=2^31-5, C=20 would yield len=10). Then the buffer is too small to fit C, let alone all of the extra components we insert in the second loop. > The fix I came up with for this is to convert all of the "int" variables here to "size_t". That doesn't actually _fix_ the problem at all, but does mean on a 64-bit system that you need a 2^64-long path to trigger it, which is impractical. But that doesn't help 32-bit systems (though in practice, I wouldn't be surprised if we barf long before that, as we would be unable to hold the "struct name_path" list in memory). > Note that there is also a similar problem in tree-diff.c's path_appendnew(). There we build up the full pathname in a strbuf, which checks for overflow. But we then pass that length as an int and allocate a FLEX_ARRAY struct with it, which can end up too-small. This one is the more interesting of the two, I think, as it triggers via git-log, whereas the path_name() happens only during a repack (so it will hit you _eventually_, but probably not as soon as you've cloned). > My solution there was similar: use size_t, which at least means you'd have to allocate petabytes on a 64-bit system to trigger it (much less on a 32-bit system, but _probably_ you'd be saved by malloc failing first). > And that's why I dragged my feet on sending those fixes upstream; I don't think they're complete. The complete fix would be to use size_t consistently to store return values for strlen(), and to do integer overflow checks whenever we do computations on size_t. > Those of you on this list may recall I posted a series for the latter last year, but it was somewhat invasive. It may be worth resurrecting. > I think we could also get rid of path_name() entirely. The sole purpose at this point is to compute the name-hash for pack-objects, which could be done by walking the name_path list rather than re-constructing the whole thing in memory. > -Peff Of course everything Peff talked about above is now fixed in git 2.7.1 with the removal of path_name() and the size_t/overflow check in tree-diff.c. It was even fixed earlier for users of github enterprise. However, several months after the last message on this thread, I’m not aware of any Linux distribution that issued a fix for their stable branch. Last week I could contact wikimedia so they could fix their gerrit‑gc server. Bitbucket, GitLab still suffer from that issue (they even use a git version before git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 which is the easiest one to trigger because of strcpy() instead of memcpy() ). while it seems normal the ᴄᴠᴇ details are still unpublished, I definitely can’t deal with every major provider. People surely remember https://www.google.fr/search?tbm=nws&q=cve-2014-9390 breaking the news about a similar issue in that software (which allowed most distros to fix it quikcly). It seems while this threat is more widespread, it definitely lacks advertisement. So some Peoples suggested me to post about it here.
idSSV:91042
last seen2017-11-19
modified2016-03-16
published2016-03-16
reporterRoot
titleGit 版本<=2.7.1 远程代码执行漏洞