Microsoft-owned GitHub has released updated versions of its local code revision control client after two remote code execution bugs were discovered.
The first affects computers with multiple users and allows untrusted users to create the C:\.git Folder that the local version control software client would find outside of a repository when looking for a Git directory.
“Because some configuration variables (such as core.fsmonitor) cause Git to run arbitrary commands, this can result in arbitrary command execution when working on a shared machine,” said Github Security Engineer Taylor Blau.
Users of the posh-git Windows Powershell script are vulnerable simply by launching an instance of the command interpreter, and Git bash users setting the recommended GIT_PS1_SHOWDIRTYSTATE are also vulnerable.
Creating .git folders without read/write access to .git folders running Git commands is a workaround for users unable to update their local repository client.
Setting or expanding the GIT_CEILING_DIRECTORIES variable to include the parent directory of user profiles, such as C:\Users on Windows, also prevents exploitation of the vulnerability.
A second flaw makes the Git for Windows uninstaller vulnerable to dynamic link library (DLL) hijacking, since the highly privileged SYSTEM account inherits the settings pointing TMP and TEMP to the world-writable C:\Windows\Temp account.
“This means that any authenticated user can place malicious .dll files that are loaded when the Git for Windows uninstaller is run from the SYSTEM account,” wrote Github engineer Victoria Dye.
Github itself is not affected by the vulnerabilities patched in Git for Windows version 2.35.2.
Fixed NoGitBleed credentials leak
Separately, GitHub said it will scan public repositories for accidentally leaked credentials to prevent attackers from finding them.
Configuration or human error has led to a significant number of users inadvertently checking in GitHub credentials as metadata in GitHub commits, engineers Will Deane and Aaron Devaney found in early August of last year.
This was often a username entered as the author and a password in the email address field.
“We estimate that 50,000 to 100,0001 user credentials could be affected in the region, covering a wide range of organizations including governments, corporations, large open source foundations, as well as smaller organizations and individuals,” the researchers wrote.
For example, attackers could use the credentials to conduct supply chain attacks on open-source code repositories, Deane and Devaney said.
Github started scanning for credentials entered in metadata to fix the misconfigurations and bugs last September and fully rolled out the feature yesterday.
https://www.itnews.com.au/news/local-gits-vulnerable-to-remote-code-execution-578711?utm_source=feed&utm_medium=rss&utm_campaign=iTnews+ Local gits are vulnerable to remote code execution – security – software