Full Report
The authors of this post use git submodules internally. They noticed that long submodule URLs led to crashes on a GitHub repository page. They weren't sure why so they started fuzzing it. Eventualy, they noticed that deinitializing submodules sometimes creates new sections in .git/config. But why? When reading configuration files in groups of bytes of 1024, it assumed that the beginning of a read is the beginning of a line. However, with super long lines this isn't the case. So, providing a line with 1024 characters and then a [ for a section header would make the parser believe it was looking at a new section when it really wasn't! By providing a malicious URL that is controllable by an attacker, they could smuggle commands, such as bash commands, into a .git/config using this. They found this was possible via a section was being removed or renamed. The most interesting part to me was how they found the bug. It wasn't a crash in the git client - it was a side effect. Then, after some investigation, they discovered the reason why this was happening. Once you see the bug and the idea, it's straightforward, but it's not an obvious place to look for bugs.
Analysis Summary
# Vulnerability: Git Configuration Injection via Long Lines
## CVE Details
- **CVE ID:** CVE-2023-29007
- **CVSS Score:** 7.0 (High)
- **CWE:** CWE-94 (Improper Control of Generation of Code) / Logic Error in Configuration Parsing
## Affected Systems
- **Products:** Git
- **Versions:** Version 2.40.0 and all older versions.
- **Configurations:** Systems where Git is used to manage repositories with submodules or branches, specifically when performing configuration-altering commands (like renaming or deleting sections).
## Vulnerability Description
The flaw exists in `config.c` within the function `git_config_copy_or_rename_section_in_file`. The parser uses a fixed-size buffer of 1024 characters to read lines from the `.git/config` file.
If a configuration value (such as a submodule URL) exceeds 1024 characters, `fgets` reads the first 1024 bytes and then calls it again for the remaining data. The parser logic incorrectly assumes that every new `fgets` call marks the start of a new line. If the 1025th character (or the first non-space character after a wrap) is a `[` (bracket), the parser mistakenly identifies it as the start of a new configuration section header.
By crafting a malicious URL that spans across this 1024-byte boundary, an attacker can "smuggle" arbitrary configuration directives into the `.git/config` file when that section is renamed or removed.
## Exploitation
- **Status:** PoC available.
- **Complexity:** Medium (Requires user interaction and specific git commands).
- **Attack Vector:** Local/Network (via cloning a malicious repository or getting a user to process a malicious `.gitmodules` file).
## Impact
- **Confidentiality:** High (Potential for full system compromise).
- **Integrity:** High (Arbitrary configuration injection).
- **Availability:** High (Can lead to arbitrary code execution).
**Note:** Impact is achieved by injecting configuration values that specify executables, such as `core.pager`, `core.editor`, or `core.sshCommand`, leading to Arbitrary Code Execution (ACE).
## Remediation
### Patches
- Update to Git versions **2.40.1**, **2.39.3**, **2.38.5**, **2.37.7**, **2.36.6**, **2.35.8**, **2.34.8**, **2.33.8**, **2.32.7**, **2.31.8**, or **2.30.9**.
### Workarounds
- Avoid running `git submodule deinit`, `git branch -m`, or `git remote rm` on repositories from untrusted sources.
- Manually inspect `.gitmodules` and `.git/config` for unusually long strings or smuggled sections before performing maintenance operations.
## Detection
- **Indicators of compromise:** Presence of extremely long URLs in `.gitmodules` (over 1024 characters) or unexpected entries in `.git/config` that look like nested sections.
- **Detection methods:** Static analysis of the `.git/config` file for multiple section headers or suspicious `core.*` overrides.
## References
- hxxps://github[.]blog/2023-04-25-git-security-vulnerabilities-announced-4/
- hxxps://github[.]com/git/git/security/advisories/GHSA-v48j-4xgg-4844
- hxxps://nvd.nist[.]gov/vuln/detail/CVE-2023-29007
- hxxps://github[.]com/ethiack/CVE-2023-29007 (PoC Repository)