{"id":35025,"date":"2017-08-15T00:38:35","date_gmt":"2017-08-15T00:38:35","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/devops\/?p=35025"},"modified":"2019-02-14T15:51:22","modified_gmt":"2019-02-14T23:51:22","slug":"git-vulnerability-with-submodules","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/git-vulnerability-with-submodules\/","title":{"rendered":"Git vulnerability with submodules"},"content":{"rendered":"<p>The Git community <a href=\"https:\/\/public-inbox.org\/git\/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com\/T\/#u\">has disclosed a serious security vulnerability<\/a> in Git that can lead to arbitrary code execution. This has been assigned CVE 2017-1000117.<\/p>\n<p>The Visual Studio Team Services (VSTS) team takes security issues very seriously.\u00a0 We encourage all users to update their Git clients as soon as possible to address this issue.<\/p>\n<ul>\n<li>If you&#8217;re using Git for Windows, you can download the latest version from <a href=\"https:\/\/git-for-windows.github.io\/\">https:\/\/git-for-windows.github.io\/<\/a>.<\/li>\n<li>Visual Studio 2017 users should update to version 15.3.26730.8 or better using the update mechanism within Visual Studio. Versions of Visual Studio <em>prior<\/em> to 2017 are unaffected.<\/li>\n<li>Hosted build agents for VSTS have been updated to include a patched version of Git.  An updated version 2.120.2 is available for download from VSTS for teams running their own agents.<\/li>\n<\/ul>\n<p>If you use other Git clients, please contact the vendor to understand whether or not you need to upgrade.<\/p>\n<h2>The problem<\/h2>\n<p>When fetching from remote repositories, Git URL parsing can be confused by command line options embedded inside the URL. This can be exploited to pass specific command-line options to the <code>ssh<\/code> executable, and those options may specify a command to execute using its &#8220;<code>ProxyCommand<\/code>&#8221; functionality.<\/p>\n<p>For example, if you run:<\/p>\n<blockquote><p><code>git clone ssh:\/\/-oProxyCommand=notepad.exe\/ \/tmp\/git_vulnerability<\/code><\/p><\/blockquote>\n<p>Then Notepad will open. (Substitute <code>notepad.exe<\/code> with an application of your choice if you&#8217;re not a Windows user.)<\/p>\n<p>Of course, since this URL looks quite funny, it&#8217;s unlikely that somebody would be convinced to clone that themselves. The larger risk, instead, comes when this URL is embedded as a submodule in a rather innocent-looking repository.<\/p>\n<p>An attacker can easily change the URL of a submodule in a repository by editing the <code>.gitmodules<\/code> file. If it were changed to point to the exploit URL above:<\/p>\n<blockquote><p><code>[submodule \"pwned\"]\npath = pwned\nurl = ssh:\/\/-oProxyCommand=notepad.exe\/<\/code><\/p><\/blockquote>\n<p>Then doing a recursive clone on this innocent-looking repository would cause arbitrary code execution.<\/p>\n<p><img decoding=\"async\" width=\"600\" height=\"324\" class=\"alignnone size-full wp-image-35035\" alt=\"\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2017\/08\/pwned-small.gif\" \/><\/p>\n<h2>Solution<\/h2>\n<p>The solution to this problem is quite simple and effective: submodule URLs are now examined more closely by Git clients. If the SSH hostname <a href=\"https:\/\/github.com\/git\/git\/commit\/4274c698f46a9bc45834c4904e7e113450c042fb#diff-c36199ef0fc86df61570de73eb0fde65R1324\">looks like a command-line option<\/a> (i.e., if it begins with a &#8220;<code>-<\/code>&#8220;) then the submodule is blocked.\u00a0The updated Git clients referenced above contain this fix and should be installed as soon as possible.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Git community has disclosed a serious security vulnerability in Git that can lead to arbitrary code execution. This has been assigned CVE 2017-1000117. The Visual Studio Team Services (VSTS) team takes security issues very seriously.\u00a0 We encourage all users to update their Git clients as soon as possible to address this issue. If you&#8217;re [&hellip;]<\/p>\n","protected":false},"author":233,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,225],"tags":[],"class_list":["post-35025","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-git"],"acf":[],"blog_post_summary":"<p>The Git community has disclosed a serious security vulnerability in Git that can lead to arbitrary code execution. This has been assigned CVE 2017-1000117. The Visual Studio Team Services (VSTS) team takes security issues very seriously.\u00a0 We encourage all users to update their Git clients as soon as possible to address this issue. If you&#8217;re [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/35025","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/233"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=35025"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/35025\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=35025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=35025"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=35025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}