CVE-2022-24826 - Git LFS Arbitrary Code Execution Vulnerability on Windows Systems

Summary: In Git LFS versions 2.12.1 to 3.1.2 on Windows, a vulnerability allows an attacker to execute arbitrary code by exploiting a bug in the handling of program executable paths when the intended program is not found in any directory listed in PATH. This does not affect Unix systems.

Introduction: A recently discovered vulnerability in Git Large File Storage (LFS) extension for Windows can allow an attacker to execute arbitrary code under certain conditions. In this article, we'll explain the vulnerability (CVE-2022-24826), provide details on the exploit, a code snippet, and links to original references. We'll also discuss the patch released by Git LFS and potential workarounds.

Vulnerability Details: The vulnerability occurs in the context of Git LFS operating on a malicious repository with a file named ..exe combined with a file named git.exe or cygpath.exe, among others, when the corresponding executable is not found in the PATH. This does not affect Unix systems. The vulnerability stems from a bug in the Go os/exec package that Git LFS uses for executing external programs.

Here's a code snippet that highlights the issue

package main

import (
	"fmt"
	"io/ioutil"
	"os"
	"os/exec"
	"path/filepath"
)

func main() {
	tempDir, _ := ioutil.TempDir("", "cve-2022-24826")
    defer os.RemoveAll(tempDir)

    originalCWD, _ := os.Getwd()
    defer os.Chdir(originalCWD)

    os.Chdir(tempDir)

	ioutil.WriteFile("..exe", someMaliciousCode, 0644)

	gitNotFoundErr := exec.Command("git.exe").Run()
	if gitNotFoundErr != nil {
		command := exec.Command("")
		_ = command.Run()
	}
}

When Git LFS tries to execute an intended program like git.exe or cygpath.exe, and the program is not found in PATH, Git LFS will pass an empty string as the executable file path to the Go os/exec package. This package contains a bug on Windows that searches for files with a base name . and a file extension from PATHEXT, executing the first one found.

Exploit Details: An attacker can create a malicious repository containing files named ..exe and git.exe, cygpath.exe, or other executable names. When a vulnerable version of Git LFS (2.12.1 through 3.1.2) operates on this repository on a Windows system where the intended executables are not in the PATH, the arbitrary code will be executed.

Patch Information: Git LFS has fixed this vulnerability in version 3.1.3 by reporting an error when a program is not found in any directory listed in PATH, instead of passing an empty string to the Go os/exec package. The bug in the Go os/exec package has been reported to the Go project and is expected to be patched after this security advisory is published.

References

- Original Advisory
- Changelog for Git LFS 3.1.3

Recommendations: Users are advised to upgrade to Git LFS version 3.1.3. There are no known workarounds at this time.

Conclusion: This vulnerability in Git LFS for Windows can have serious consequences and should be promptly addressed. Upgrading your Git LFS installation to version 3.1.3 or higher can help protect your system from this arbitrary code execution vulnerability.

Timeline

Published on: 04/20/2022 00:16:00 UTC
Last modified on: 04/28/2022 15:27:00 UTC