oss-sec mailing list archives

Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)

From: Laël Cellier <lael.cellier () laposte net>
Date: Fri, 18 Mar 2016 00:20:27 +0100

On 16/03/2016 16:40, Stefan Cornelius wrote:

Hi,

I'm Stefan Cornelius of Red Hat Product Security. Obviously, we're
currently working on the Git security issues.

In one of the emails to oss-sec you mention that you have some kind of
reproducer for CVE-2016-2315.

Would you please be kind enough to share this reproducer with us?

Unfortunately, I can currently only share early work based on a modifiedversion of gitdb which can’t create a packfile (Maybe I will be able toupload the full gitdb version in a few weeks). You can find it as anattachment along an example file.

This email contains a vulnerable version of git with libasanhttps://github.com/google/sanitizers and no optimizations which helpedme to identify the issue. When I pushed that large repository, libasanprinted a stack trace which ended on strcpy() in path_name.c (just cat2GB.txt in a terminal)

Either way once you have packfile, you need to create a network payload.Since my vector was ssh I used the good vim editor on the packfile inorder to add the missing informations (nul bytes included) (sinceeverything is text based outside the packfile).Doing it manually was much faster than trying to create a script. Iincluded an example for ssh which will fill ram if cloned or pushed(without doing anything related to the vulnerability). It should helpdemonstrating how to produce one for triggering rce.

For those who don’t want to try it. I included a crafted repo ready foruse which will crash affected versions. It will help distributionstesting their own patches.Of course everything I did was about strcpy() and don’t containsexecutable code (though putting some shoud be easy). For othervulnerabilities based on that size_t to int truncation, just ask Peff atGitHub, inc. He did is own testing.

It would help us tremendously. We will not share the reproducer with
third parties and will only use it for our internal testing.

On the contrary, please make them widely available so otherdistributions can test their own patches faster.

Thank you very much and kind regards,

regards,

The attachments being too large, you can download them onhttp://ytrezq.sdfeu.org/git/reproducer.zip

Current thread:

Re: Exploitability of Git's CVE-2016-2315 Laël Cellier (Mar 16)
- Message not available
  - Message not available
    - Message not available
    - Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315) Laël Cellier (Mar 18)