Coordinated Disclosure Timeline
- 2022-06-15: Sent report to git-security@googlegroups.com
- 2022-09-27: GHSA-rjr6-wcq6-83p6 created
- 2022-09-27: CVE-2022-39260 assigned
- 2022-10-18: Disclosed
Summary
It is possible to trigger an integer overflow in split_cmdline, leading to out-of-bounds reads and writes. The vulnerability can be triggered remotely on a git server that is configured to allow ssh access using git-shell.
About git-shell
This is a brief overview of git-shell. If you are already familiar with git-shell then you can skip this section.
git-shell is a restricted login shell used to enable ssh access on a git server, which you can set up following these instructions. The server has a user account named git, with an entry in /etc/passwd that looks like this:
git:x:200:200::/home/git:/usr/bin/git-shell
Notice that the login shell is /usr/bin/git-shell, rather than /bin/bash. This is what the shell looks like when I ssh into the git account:
$ ssh git@myserver
Last login: Fri Jun 10 21:54:30 2022 from 82.16.135.182
Run 'help' for help, or 'exit' to leave. Available commands:
list
git>
git-shell only permits a limited set of commands, so it enables users to run git operations such as fetch and push, but prevents them from running arbitrary commands as the git user. The vulnerability described here could potentially be exploited to run arbitrary commands as the git user.
Product
git
Tested Version
Details
Issue: integer overflow in split_cmdline (GHSL-2022-035)
split_cmdline is used to parse commands typed into git-shell. Under normal usage, these commands are short hand-typed strings such as “list”, but it is possible to send a command string longer than 2GB over an ssh connection. The code in split_cmdline uses the int type to index the string, which means that a sufficiently long string can trigger an integer overflow:
int split_cmdline(char *cmdline, const char ***argv)
{
int src, dst, count = 0, size = 16; <===== these variables can overflow
char quoted = 0;
ALLOC_ARRAY(*argv, size);
/* split alias_string */
(*argv)[count++] = cmdline;
for (src = dst = 0; cmdline[src];) {
char c = cmdline[src];
If the string is longer than 2GB then src and dst can overflow and become negative, leading to out-of-bounds reads and writes of the cmdline array.
Note that it is also possible to overflow count and size, but it takes much longer and consumes a lot more memory because it involves growing the argv array.
The attached poc triggers the integer overflow. Run it like this:
gcc split_cmdline_poc.c -o split_cmdline_poc
./split_cmdline_poc poc.txt
cat poc.txt | ssh git@myserver
Impact
This vulnerability could potentially enable an attacker to run arbitrary commands as the git user on the git server. The vulnerability can only be exploited by an attacker who already has access to the git server, i.e. they have permission to perform git operations such as pushing and fetching commits. This vulnerability is unlikely to affect large-scale git servers, such as those run by GitHub, as they are unlikely to use git-shell for ssh access.
CVE
- CVE-2022-39260
Credit
This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-035 in any communication regarding this issue.