Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 16 Mar 2016 10:17:35 +0100
From: Laël Cellier <lael.cellier@...oste.net>
To: Chris Williams <cwilliams@...pub.com>, oss-security@...ts.openwall.com
Subject: Re: Exploitability of Git's CVE-2016-2315


> Hi Laël,
>
> Congrats on the GitHub bounty for the Git bug. I have a quick question about CVE-2016-2315: is it feasibly exploitable? Do you have to push a very large repository with very long strings to overflow the signed integer in path_name()?
>
> Many thanks,
>
> C.
>
Yes, you have to create a repository path which is larger than 2³¹.

However, you have the control at what place the remote code execution 
should happen in the buffer. git objects are zlib compressed and git 
Servers tend to allow downloading over https or (even better ssh) which 
use zlib compression. This allow compress data twice (compressing a 
second time tend to be efficient in zlib if the data is well compressible).

If you find well zlib compressible data which you can combine with 
assembly, you’ll probably be able to reduce network data to 
200Mb. GitHub told they change their message if they could run the proof 
on 
https://github-enterprise.s3.amazonaws.com/hyperv/releases/github-enterprise-2.4.1.vhd 
or 
https://github-enterprise.s3.amazonaws.com/kvm/updates/github-enterprise-kvm-2.4.1.pkg 
or 
https://github-enterprise.s3.amazonaws.com/kvm/releases/github-enterprise-2.4.1.qcow2 
or 
https://github-enterprise.s3.amazonaws.com/esx/releases/github-enterprise-2.4.1.ova 
or 
https://github-enterprise.s3.amazonaws.com/xen/releases/github-enterprise-2.4.1.vhd

I used python gitdb to confirm the server side memory corruption. This 
allowed me to leverage the bug.
However, without a push command I can use, I had to build an ssh network 
payload from the generated packfile (the ꜱꜱʜ protocol is simpler than 
the ʜᴛᴛᴘꜱ one) that I could use with
ssh -C -o compressionlevel=9 git@...hub.com git-receive-pack the/repo.git

Creating an ʜᴛᴛᴘꜱ version should possible, however curl doesn’t know 
about ʜᴛᴛᴘ compression for uploading. So this require to pre compress 
the payload and trick ʜᴛᴛᴘ headers

The git:// protocol doesn’t support compression, so only the packfile 
compression remains.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.