CVE-2022-24826 - Arbitrary Code Execution in Windows via Malicious Git LFS Repositories

Date: June 2024  
Author: [Your Name – Exclusive Original Writeup]


CVE-2022-24826 describes a unique and dangerous vulnerability in Git Large File Storage (LFS) for Windows. This issue can allow an attacker to execute arbitrary programs simply by getting a victim to operate on a malicious Git repository. Here’s how it works, with simple explanations, code examples, and direct exploit details.

What is CVE-2022-24826?

Git LFS (Large File Storage) is a tool for managing large files with Git. On Windows, sudoers discovered that if a repo contains certain specially-named files, it’s possible to hijack calls to system utilities like git.exe, causing a different, attacker-controlled executable in the repository folder to be run instead.

Let’s break down how an attacker can pull this off, and why it works.

Exploit Scenario

Imagine you’re a developer on Windows. You clone a Git repo—with LFS enabled—that secretly contains two files:

git.exe (could be a dummy, empty file for confusion)

Git LFS sometimes needs to call external programs such as git, cygpath, or uname. If for any reason the actual program (e.g., git.exe) is not found anywhere in your system's PATH, Git LFS tries to run it anyway.

But due to a subtle bug in Go (the programming language Git LFS is written in), when the tool fails to find the real executable, it passes an empty string for the executable path to Go’s process-launching library. On Windows, this empty string leads to looking for a file like ..exe in your current directory—a back door’d executable provided by the attacker.

Windows Executable Search Quirk

On Windows, when you launch a process with a name like git (and it’s not found in PATH), the OS uses the PATHEXT environment variable to search for files like git.exe, git.com, etc. In this CVE, if the system can’t find git or cygpath in the usual places, but finds something like ..exe in the repo folder, it might start that.

Here's what happens inside Git LFS.

// Pseudocode based on issue description
cmd := exec.Command(externalProgram, args...)

// if external program not found in $PATH
// then externalProgram == ""
err := cmd.Run()

Runs the first such file it finds (excluding .bat, .cmd—see later for reason).

If that file is a trojan, it runs with the privileges of the current user—potentially destructive!

How ".bat" and ".cmd" Are Treated

Interesting detail: .bat and .cmd files don’t get executed directly because Windows automatically starts the interpreter cmd.exe instead. As a result, the exploit fails in these cases, but not with .exe or .com files.

Proof-of-Concept: Quick Demo

Let’s reproduce this exploit on a test Windows machine.

Step 1: Create a Malicious Repo

# In the repo root
echo @echo Hacked! > ..exe
echo dummy > git.exe

Step 2: Remove Real git.exe From PATH

Temporarily remove Git from your PATH (for testing).

Step 3: Run a Git LFS Command

git lfs status

Why It Works: Root Cause

When Git LFS tries to run git, and it’s not found, it fails to resolve the path, passes an empty string to Go’s process runner, and on Windows, that triggers the search for ..exe. This is an oversight both in LFS (should have exited with error), and in Go’s process-creation API.

> “The vulnerability occurs because when Git LFS detects that the program it intends to run does not exist in any directory listed in PATH then Git LFS passes an empty string as the executable file path to the Go os/exec package..."  
> — GitHub Advisory

What’s the Fix?

- Git LFS: In version 3.1.3, LFS now returns an error if a needed program is missing, instead of blindly trying to start it.
- Go (os/exec): The Go team has been notified to patch this process-launching logic.

> Important: The bug was introduced in LFS v2.12.1 and fixed in v3.1.3.  
> There are no workarounds — _upgrade now_!

References

- Original Security Advisory
- Go Issue Tracker about Windows os/exec
- Git LFS Changelog

Summary

CVE-2022-24826 shows how a tiny oversight—passing an empty string—can open the door to serious attacks, especially on platforms with quirky file-execution rules like Windows. If you use Git LFS, update to 3.1.3 ASAP, and avoid running LFS commands in unknown repositories.

Stay aware. Stay safe.

*This post was crafted for educational purposes. Do not attempt malicious actions—always use responsibly in legal, test environments!*


If you have questions or want to discuss further, drop a comment below or reach out on Git LFS Issues!

Timeline

Published on: 04/20/2022 00:16:00 UTC
Last modified on: 04/28/2022 15:27:00 UTC