The authors of this write-up tried to put together as much information as possible in order to understand the cause of the problem.įrom line 23: func cloneCommand(cmd *cobra. We attempted to understand the root cause of this vulnerability by reading git-lfs's code. The cloning process happens normally and there is no visual indication that a malicious binary was ran instead of the original git executable. Security Questions, and also restricts IP addresses for higher security. When inspecting the desktop application under Proccess Monitor, it was noticed several actions of git-lfs called a git executable from inside the newly cloned repository.īy placing a malicious git in the root of the malicious repo, a user that clones it will have the malicious git executed by git-lfs, all of this behind the scenes and transparent to the user. Use 2 Factor Authentication along with backup 2FA options for secure login to. Upon cloning such malicious repository, code execution is achieved with the same privileges as the affected user running GitHub Desktop. Git-lfs is then called on the current cloned repository, already present in disk.Ī vulnerability was discovered when cloning a repository with a especially crafted file in the root directory. This permission will prevent any person from viewing your board unless they are logged into GitKraken Boards AND their user license belongs to your Organization. Brief description of the issueĪs part of GitHub Desktop's default repository cloning process, among other actions it calls the executable git-lfs.įrom git-lfs's official page "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server like or GitHub Enterprise." Other Git clients such as GitKraken, Git-Tower and SourceTree were also found to be vulnerable, however these have different exploitation scenarios that require user interaction. GitKraken makes the hard or redundant parts of Git easy. The main focus of this blog post is GitHub Desktop. One of the most intuitive version control tools I have ever worked with. It is also a tale of a bug collision that paid a bounty to one reporter and assigned the CVE to another! This post is a rather unusual story of a vulnerability that could be leveraged as a supply chain attack and used to attack millions of software developers around the world. Data safety score: 7.3/10 (security score: 10.0/10, privacy score: 7.0/10, trust score: None/10) We found that GitKraken Boards protects user data with. These measures include secure data centers for hosting, limited physical server access, multiple levels of network security and redundancy, real-time monitoring.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |