Users of the world's most popular software version control systems can be attacked when cloning a repository over SSH.
When first announced by Recurity Labs' Joern Schneeweisz, the vulnerability was attributed to Git, Mercurial and Subversion; and over the weekend, Hank Leininger of Korelogic told the OSS-Sec list the issue also affects the ancient CVS (Concurrent Versions System).
Schneeweisz writes that he first spotted the issue in Git LFS (Large File Storage) in May, and worked out that an attacker could craft the
.lfsconfig file to “point Git LFS to crafted ssh:// URLs of the following form:”
[lfs] url = ssh://-oProxyCommand=some-command
That opened a “shockingly simple” vector for arbitrary command execution via a crafted repository – and with further work, Schneeweisz found, GitLab was also attackable via
$ git clone ssh://-oProxyCommand=gnome-calculator/wat
Yes, he observes, a user seeing that URL would probably think something was amiss – but not if the call happens in a Git submodule: “it is possible to create a Git repository that contains a crafted
ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the
ssh:// payload will trigger.”
He also idenitifed SVN and Mercurial as suffering from the same issue (CVEs CVE-2017-1000117, CVE-2017-9800, and CVE-2017-1000116 have been assigned to Git, Subversion and Mercurial, but they're yet to land at Mitre).
In his advisory about CVS, Leininger notes that if it's configured for remote access over SSH, a similar hostname trick can be pulled. However, it's more visible in the URL, and as he wryly notes, “first you would have find a victim”.
Git, Mercurial and Subversion have all been patched. ®