Vulnerabilities > CVE-2017-8386

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
git
opensuse
debian
canonical
fedoraproject
nessus

Summary

git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2004.NASL
    descriptionFrom Red Hat Security Advisory 2017:2004 : An update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Security Fix(es) : * It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt. (CVE-2014-9938) * A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102294
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102294
    titleOracle Linux 7 : git (ELSA-2017-2004)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-01A7989FC0.NASL
    descriptionAn issue in `git-shell` could allow remote users to run an interactive pager. From the [update announcement](https://public-inbox.org/git/[email protected] v.corp.google.com/) : ... fix a recently disclosed problem with
    last seen2020-06-05
    modified2017-05-30
    plugin id100485
    published2017-05-30
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100485
    titleFedora 24 : git (2017-01a7989fc0)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1357-1.NASL
    descriptionThis update for git fixes the following issues : - git 2.12.3 : - CVE-2017-8386: Fix git-shell not to escape with the starting dash name (bsc#1038395) - Fix for potential segv introduced in v2.11.0 and later - Misc fixes and cleanups. - git 2.12.2 : - CLI output fixes -
    last seen2020-06-01
    modified2020-06-02
    plugin id100319
    published2017-05-22
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100319
    titleSUSE SLES12 Security Update : git (SUSE-SU-2017:1357-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2004.NASL
    descriptionAn update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Security Fix(es) : * It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt. (CVE-2014-9938) * A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102749
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102749
    titleCentOS 7 : git (CESA-2017:2004)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3848.NASL
    descriptionTimo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login shell for Git-only SSH access, allows a user to run an interactive pager by causing it to spawn
    last seen2020-06-01
    modified2020-06-02
    plugin id100111
    published2017-05-11
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100111
    titleDebian DSA-3848-1 : git - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1377.NASL
    descriptionAccording to the versions of the git package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options.(CVE-2017-8386) - In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs
    last seen2020-06-01
    modified2020-06-02
    plugin id119068
    published2018-11-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119068
    titleEulerOS Virtualization 2.5.1 : git (EulerOS-SA-2018-1377)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170801_GIT_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt. (CVE-2014-9938) - A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386)
    last seen2020-05-15
    modified2017-08-22
    plugin id102640
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102640
    titleScientific Linux Security Update : git on SL7.x x86_64 (20170801)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3287-1.NASL
    descriptionTimo Schmid discovered that the Git restricted shell incorrectly filtered allowed commands. A remote attacker could possibly use this issue to run an interactive pager and access sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100218
    published2017-05-16
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100218
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : git vulnerability (USN-3287-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-938.NASL
    descriptionTimo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login shell for Git-only SSH access, allows a user to run an interactive pager by causing it to spawn
    last seen2020-03-17
    modified2017-05-11
    plugin id100110
    published2017-05-11
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100110
    titleDebian DLA-938-1 : git security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-842.NASL
    descriptionEscape out of git-shell A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386)
    last seen2020-06-01
    modified2020-06-02
    plugin id100643
    published2017-06-07
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100643
    titleAmazon Linux AMI : git (ALAS-2017-842)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-7EA0E02914.NASL
    descriptionAn issue in `git-shell` could allow remote users to run an interactive pager. From the [update announcement](https://public-inbox.org/git/[email protected] v.corp.google.com/) : ... fix a recently disclosed problem with
    last seen2020-06-05
    modified2017-07-17
    plugin id101665
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101665
    titleFedora 26 : git (2017-7ea0e02914)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1187.NASL
    descriptionAccording to the versions of the git package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt. (CVE-2014-9938) - A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386) - A shell command injection flaw related to the handling of
    last seen2020-05-06
    modified2017-09-08
    plugin id103025
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103025
    titleEulerOS 2.0 SP1 : git (EulerOS-SA-2017-1187)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-F4319B6DFC.NASL
    descriptionAn issue in `git-shell` could allow remote users to run an interactive pager. From the [update announcement](https://public-inbox.org/git/[email protected] v.corp.google.com/) : ... fix a recently disclosed problem with
    last seen2020-06-05
    modified2017-05-16
    plugin id100200
    published2017-05-16
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100200
    titleFedora 25 : git (2017-f4319b6dfc)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1188.NASL
    descriptionAccording to the versions of the git package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt. (CVE-2014-9938) - A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386) - A shell command injection flaw related to the handling of
    last seen2020-05-06
    modified2017-09-08
    plugin id103026
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103026
    titleEulerOS 2.0 SP2 : git (EulerOS-SA-2017-1188)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2004.NASL
    descriptionAn update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Security Fix(es) : * It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt. (CVE-2014-9938) * A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102110
    published2017-08-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102110
    titleRHEL 7 : git (RHSA-2017:2004)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201706-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201706-04 (Git: Security bypass) Timo Schmid discovered that the Git restricted shell incorrectly filtered allowed commands. Impact : A remote attacker could possibly bypass security restrictions and access sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id100647
    published2017-06-07
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100647
    titleGLSA-201706-04 : Git: Security bypass
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-624.NASL
    descriptionThis update for git fixes the following issues : - git 2.12.3 : - CVE-2017-8386: Fix git-shell not to escape with the starting dash name (bsc#1038395) - Fix for potential segv introduced in v2.11.0 and later - Misc fixes and cleanups. - git 2.12.2 : - CLI output fixes -
    last seen2020-06-05
    modified2017-05-30
    plugin id100500
    published2017-05-30
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100500
    titleopenSUSE Security Update : git (openSUSE-2017-624)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0992-1.NASL
    descriptionThis update for git fixes the following issues : Security issue fixed : CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). Non-security issue fixed : git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608): the xinetd snippet was removed the System V init script for the git-daemon was replaced by a systemd service file of the same name. git 2.26.0:
    last seen2020-04-30
    modified2020-04-15
    plugin id135580
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135580
    titleSUSE SLES12 Security Update : git (SUSE-SU-2020:0992-1)

Redhat

advisories
  • bugzilla
    id1450407
    titleCVE-2017-8386 git: Escape out of git-shell
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentgit is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004001
          • commentgit is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003002
        • AND
          • commentgit-daemon is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004003
          • commentgit-daemon is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003004
        • AND
          • commentgit-svn is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004005
          • commentgit-svn is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003018
        • AND
          • commentgit-gui is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004007
          • commentgit-gui is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003006
        • AND
          • commentgit-p4 is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004009
          • commentgit-p4 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561014
        • AND
          • commentgit-bzr is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004011
          • commentgit-bzr is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561008
        • AND
          • commentemacs-git is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004013
          • commentemacs-git is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003022
        • AND
          • commentemacs-git-el is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004015
          • commentemacs-git-el is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003008
        • AND
          • commentgit-all is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004017
          • commentgit-all is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003010
        • AND
          • commentperl-Git is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004019
          • commentperl-Git is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003012
        • AND
          • commentgitweb is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004021
          • commentgitweb is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003014
        • AND
          • commentgit-cvs is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004023
          • commentgit-cvs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003016
        • AND
          • commentperl-Git-SVN is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004025
          • commentperl-Git-SVN is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561012
        • AND
          • commentgit-email is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004027
          • commentgit-email is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003024
        • AND
          • commentgitk is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004029
          • commentgitk is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003020
        • AND
          • commentgit-hg is earlier than 0:1.8.3.1-11.el7
            ovaloval:com.redhat.rhsa:tst:20172004031
          • commentgit-hg is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561022
    rhsa
    idRHSA-2017:2004
    released2017-08-01
    severityModerate
    titleRHSA-2017:2004: git security and bug fix update (Moderate)
  • rhsa
    idRHSA-2017:2491
rpms
  • emacs-git-0:1.8.3.1-11.el7
  • emacs-git-el-0:1.8.3.1-11.el7
  • git-0:1.8.3.1-11.el7
  • git-all-0:1.8.3.1-11.el7
  • git-bzr-0:1.8.3.1-11.el7
  • git-cvs-0:1.8.3.1-11.el7
  • git-daemon-0:1.8.3.1-11.el7
  • git-debuginfo-0:1.8.3.1-11.el7
  • git-email-0:1.8.3.1-11.el7
  • git-gui-0:1.8.3.1-11.el7
  • git-hg-0:1.8.3.1-11.el7
  • git-p4-0:1.8.3.1-11.el7
  • git-svn-0:1.8.3.1-11.el7
  • gitk-0:1.8.3.1-11.el7
  • gitweb-0:1.8.3.1-11.el7
  • perl-Git-0:1.8.3.1-11.el7
  • perl-Git-SVN-0:1.8.3.1-11.el7
  • rh-git29-emacs-git-0:2.9.3-3.el6
  • rh-git29-emacs-git-el-0:2.9.3-3.el6
  • rh-git29-git-0:2.9.3-3.el6
  • rh-git29-git-0:2.9.3-3.el7
  • rh-git29-git-all-0:2.9.3-3.el6
  • rh-git29-git-all-0:2.9.3-3.el7
  • rh-git29-git-core-0:2.9.3-3.el6
  • rh-git29-git-core-0:2.9.3-3.el7
  • rh-git29-git-core-doc-0:2.9.3-3.el6
  • rh-git29-git-core-doc-0:2.9.3-3.el7
  • rh-git29-git-cvs-0:2.9.3-3.el6
  • rh-git29-git-cvs-0:2.9.3-3.el7
  • rh-git29-git-daemon-0:2.9.3-3.el6
  • rh-git29-git-daemon-0:2.9.3-3.el7
  • rh-git29-git-debuginfo-0:2.9.3-3.el6
  • rh-git29-git-debuginfo-0:2.9.3-3.el7
  • rh-git29-git-email-0:2.9.3-3.el6
  • rh-git29-git-email-0:2.9.3-3.el7
  • rh-git29-git-gui-0:2.9.3-3.el6
  • rh-git29-git-gui-0:2.9.3-3.el7
  • rh-git29-git-p4-0:2.9.3-3.el6
  • rh-git29-git-p4-0:2.9.3-3.el7
  • rh-git29-git-svn-0:2.9.3-3.el6
  • rh-git29-git-svn-0:2.9.3-3.el7
  • rh-git29-gitk-0:2.9.3-3.el6
  • rh-git29-gitk-0:2.9.3-3.el7
  • rh-git29-gitweb-0:2.9.3-3.el6
  • rh-git29-gitweb-0:2.9.3-3.el7
  • rh-git29-perl-Git-0:2.9.3-3.el6
  • rh-git29-perl-Git-0:2.9.3-3.el7
  • rh-git29-perl-Git-SVN-0:2.9.3-3.el6
  • rh-git29-perl-Git-SVN-0:2.9.3-3.el7

Seebug

bulletinFamilyexploit
descriptionThe git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows: * git-receive-pack * Receives repository updates from the client. * git-upload-pack * Pushes repository updates to the client. * git-upload-archive * Pushes a repository archive to the client. Besides those built-in commands, an administrator can also provide it’s own commands via shell scripts or other executable files. As those are typically completely custom, this post will concentrate on the built-in ones. Note: This has nothing to do with the also recently fixed vulnerabilities in gitlab [1] [2]. If you are familiar with git, you’ll maybe know that most of the servers encapsulate the git protocol inside additional protocols like SSH or HTTP/S [3]. That’s because the git protocol itself, while being a simple text based protocol [4], does not provide any authentication or protection mechanisms for the transferred data. The most common choice for write access to a repository is SSH as it provides multiple authentication mechanisms, a stable encryption, low protocol overhead once established and is widely approved. The downside of using SSH is that it was primarily designed to provide a shell access to remote users (“Secure SHell”). Typically, one does not give that to git users. To restrict the connection to be used only for accessing repositories, one has to replace the original shell (typically bash or something similar) by another, more restrictive shell. Big hosting companies often implemented their own version which mimics the commands listed above. But it is also possible to use the shell provided by the git developers, which restricts you to use only whitelisted commands and calls them accordingly. The setup is fairly simple. The recommended way is to create a dedicated git user on your server and use the git-shell command as the login shell for that user [5]. Another option is to use so called SSH force commands, which allows you to decide on a per client base (depending on the used key during authentication), but more on this later. If you’ve configured a ssh remote repository in your local repository, a git push essentially starts the following command (received data, sent data): ``` ssh git@remoteserver “git-receive-pack ‘/myrepository.git'” 008957d650a081a34bcbacdcdb5a94bddb506adfe8e0 refs/heads/develop report-status delete-refs side-band-64k quiet ofs-delta agent=git/2.1.4 003fbe8910f121957e3326c4fdd328ab9aabd05abdb5 refs/heads/master 00000000 ``` If both repositories have the same commits. If you try to execute commands which are not in this whitelist (either the builtin commands listed above or inside of a git-shell-commands directory in the home directory) you’ll get an error that this command is not recognized. Typical command injection attacks also do not work, as there is no interactive shell used. Instead the command line is simply split by spaces (but respecting quotes) and used by execve. This convinced me to take a look to the protocol handling binaries itself. Additionally, I remembered that git has an inbuilt help command which opens the man page for the given command. Example: ```$ git help init``` ``` GIT-INIT(1) Git Manual GIT-INIT(1) NAME git-init - Create an empty Git repository or reinitialize an existing one [...] ``` Some commands do also have the neat feature to invoke this command by using the –help commandline option: ```$ git init --help``` ``` GIT-INIT(1) Git Manual GIT-INIT(1) NAME git-init - Create an empty Git repository or reinitialize an existing one [...] ``` This also applies to the commands git-receive-pack and git-upload-archive. If we try this on a server: ```$ ssh git@remoteserver "git-receive-pack '--help'"``` ``` GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1) NAME git-receive-pack - Receive what is pushed into the repository [...] ``` Neat! But how does this help us to bypass the restrictions? On most systems, if you open a man page (by the man command), the man specification is parsed, rendered to an ANSI output and piped into a pager (most of the time the less command). This allows you to scroll and search within the main page, independent of your terminal size and capabilities. Besides being a simple pager, less has also some additional interactive features. It allows you for example to open additional files (for reading), write the current output to a logfile and execute system commands in the current shell (!). To be able to use those features, it is required to run less in interactive mode. This mode is automatically enabled if a pty is available. This is typically the case if you simply connect to a SSH server, but is not the case if you directly run commands (as we are required to do in the default git-shell configuration (no custom commands)). Luckily we can force the ssh client to allocate a pty (if it is not disabled on the server side, which is most of the time not the case): ```$ ssh -t git@remoteserver "git-receive-pack '--help'"``` ``` GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1) NAME git-receive-pack - Receive what is pushed into the repository Manual page git-receive-pack(1) line 1 (press h for help or q to quit) ``` Nice! We are now able to use all interactive features of less :-). In the recommended setup there is, however, one restriction. As I said before, the shell execution feature tries to execute commands in the current shell. This is the git-shell in our case, therefore we have the same restrictions here as if we had with the commands specified over ssh. Nevertheless, we are able to read files, list directories (by (ab)using the tab completion) and write the current shown output to a file (which might help us further if we are able to control a part of the output). ![](https://images.seebug.org/1494498830251-w331s) But as you might remember from the beginning of the post, there is also a second method to use git-shell (although not that common, as far as I can tell). This could for example be used if you want to restrict only a subset of the users with access to your hosted repositories, or if you are not allowed to change the shell for your git user (e.g. in a managed environment without root access). This time, we leave the the login shell as is (bash) and restrict the users by specifying the git-shell command in the .ssh/authorized_keys file. Example: ``` command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC1yc2EA[...] ``` This behaves exactly the same as if it was configured as the login shell, except that less is able to run commands in the login shell ![](https://images.seebug.org/1494498860243-w331s) But it has to be noted here, that you are able to supply additional (optin) flags to the forced command which restrict the ssh features. The most notable flag is the no-pty flag [6]. This prevents clients from requesting a pty and therefore does not allow to run less in an interactive mode. I recommend to update to one of the fixed versions v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5, v2.9.4, v2.10.3, v2.11.2, v2.12.3 or v2.13.0. Best, Timo @bluec0re ##### Timeline 2017-04-25 Reported to the git-security mailing list 2017-05-01 Assigned CVE-2017-8386 2017-05-10 Release of the fixed versions v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5, v2.9.4, v2.10.3, v2.11.2, v2.12.3 and v2.13.0 ##### References * [1] https://about.gitlab.com/2017/04/05/gitlab-9-dot-0-dot-4-security-release/ * [2] https://about.gitlab.com/2017/05/08/gitlab-9-dot-1-dot-3-security-release/ * [3] https://git-scm.com/book/no-nb/v1/Git-on-the-Server-The-Protocols * [4] https://github.com/git/git/blob/master/Documentation/technical/pack-protocol.txt * [5] https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server * [6] http://man.openbsd.org/sshd#command=”command”
idSSV:93096
last seen2017-11-19
modified2017-05-11
published2017-05-11
reporterAnonymous
titleGit Shell Bypass By Abusing Less (CVE-2017-8386)

References