CVE-2017-1000117: Arbitrary code execution via crafted ssh:// in Git
Three main source versions of the control system Git, Subversion (svn), CVS, Mercurial, today released an update patch that fixes a client code execution vulnerability. The vulnerability was discovered and reported by Brian Neel of GitLab, Joan Schneeweiss of Recurity Labs and Jeff King of GitHub.
Used in Linux kernel, GitHub and Gitlab behind the open source version control system Git. Today released a number of updated versions, Git v2.14.1, 2.7.6, v2.8.6, v2.9.5, v2.10.4, v2.11.3, v2.12.4 and v2.13.5, used to fix the vulnerability.
“This update fixes a vulnerability number CVE-2017-1000117, similar to the release of Subversion and Mercurial maintainers,” Gill maintainer Junio Hamano wrote in the mailing list.
You can configure CVS to access a remote repository via SSH, such as setting CVS_RSH = ssh , so you can trigger a hostname that starts with -o option.
The vulnerability needs to be combined with some social engineering skills to make better use.
Git warned in its bulletin: “A malicious attacker could send a well-structured ssh:// URL link to the victim, and the victim’s access to the URL would trigger a vulnerability leading to the execution of the malicious code.”
An attacker sends a “ssh: // …” URL link to the victim, and if the victim visits the URL, it will cause the malicious command to execute on the client.
A malicious URL can be placed in the project’s “.gitmodules” file, and the victim’s “git clone –recurse-submodules” will fire the vulnerability.
Apache Subversion (SVN) 1.9.7 fixes the CVE-2017-9800 problem, which is similar to what was patched in Git.
“By svn: externals and svn: sync-from-url by constructing a malicious svn + ssh URL will cause the client to execute arbitrary code” in this SVN update to fix the security issue.
The open source Mercurial version control system fixes the vulnerability in 4.3 and 4.2.3, the vulnerability number is CVE-2017-1000115.