Git is more than just a tool for developers—it's the backbone for much of the software world. But every powerful tool has potential vulnerabilities, and in 2022, a curious bug in Git's restricted shell (git-shell) exposed a direct path to remote code execution. Let's break down what exactly happened in CVE-2022-39260, how it could be exploited, and what you should do about it.
What Is Git Shell?
First, a bit of background for context. git shell is a special login shell designed to limit users to only a handful of safe Git operations (like clone, fetch, and push). It's commonly used to allow people to push or pull code via SSH without giving them full shell access on the server. Here's a typical line you might find in /etc/passwd to restrict a user to git-shell:
gituser:x:1001:1001:,,,:/home/gituser:/usr/bin/git-shell
The Vulnerability: Integer Overflow in Argument Handling
The vulnerable versions of Git (before 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4) had an improper way of handling command arguments.
When parsing incoming commands, git-shell needed to split strings (from SSH) into an array of arguments before passing them to execv(). The issue was in the function responsible for doing this split.
The function used an int (usually 32-bits) to keep track of how many arguments it had built so far. If an attacker supplied an extremely long command, they could make this counter "overflow" (wrap around), tricking the program into thinking the array was much smaller than it really was. This led to out-of-bounds heap writes — a classic heap overflow.
Here’s a simplified version of what went wrong (not the real Git code, but similar)
// Typical (buggy) argument splitting loop:
char **split_args(const char *cmdline) {
int count = ; // Vulnerable: could overflow if too many items!
char **args = malloc(MAX_ARGS * sizeof(char*));
char *token = strtok(cmdline, " ");
while (token != NULL) {
args[count++] = strdup(token);
token = strtok(NULL, " ");
}
args[count] = NULL;
return args;
}
If an attacker could force enough tokens to make count wrap around (e.g., from 2147483647 to -2147483648 on a 32-bit signed int), args[count++] = ... could actually start overwriting memory outside of the bounds of the args array.
Exploitation: Turning Overflow into Remote Code Execution
The heap overflow lets the attacker scribble over memory after the argument array.
But why is this serious? Because after splitting, git-shell does roughly this
execv("/usr/bin/git-upload-pack", args);
Eventually hijack execution and run arbitrary commands on the server
The critical catch:
This vulnerability can only be exploited if the victim has already set up git-shell as the login shell for remote SSH access. So, the risk is limited, but in cases where it applies (shared developer servers, hosted Git repositories), the impact is severe.
They send an extra-long command to the shell, specifically crafted to overflow the arguments heap.
3. The overflow data is shaped to overwrite a critical memory structure (like a function pointer or arguments for the next execv() call).
When git-shell calls execv(), it ends up running a command chosen by the attacker.
*(Actual weaponized exploits would be more complex and are not provided here.)*
How Do I Fix This? (Mitigation & Patches)
Upgrade first and foremost!
2.37.4
See the official security advisory for details.
References & Further Reading
- CVE-2022-39260 on NVD
- GitHub Security Advisory
- Git 2.38 Release Notes (includes mention of CVE-2022-39260)
Conclusion
CVE-2022-39260 is a strong example of how even robust software like Git can falter with basic programming errors — in this case, using an int where a size_t was needed. On shared servers or repository hosts, this bug could give attackers total control via nothing more than command line data. If you use git-shell for SSH access, upgrade right now, or disable it until you can.
Stay safe, and remember: even the smallest bugs can have big consequences.
Timeline
Published on: 10/19/2022 12:15:00 UTC
Last modified on: 11/16/2022 18:30:00 UTC