Attacker Value
High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-27955 — Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE)

Disclosure Date: November 05, 2020
CVE-2020-27955 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Git LFS 2.12.0 allows Remote Code Execution.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Very Low
Gives privileged accessUnauthenticatedDifficult to weaponizeRequires user interaction
Technical Analysis

Git Large File Storage or Git LFS is an open source extention used to store large files outside of the git repository. Git LFS stores the large file on a remote server while storing a pointer to the file in the repo.

Git LFS (git-lfs) versions <= 2.12 has a vulnerability that allows remote attackers to execute arbitrary code on the victim’s Windows system if the victim clones the attacker’s repository which makes use of git-lfs.

Git LFS does not specify the full path to the git binary when spawning a new git process as via the following ExecCommand() function:

subprocess/subprocess_windows.go:

    func ExecCommand(name string, arg ...string) *Cmd {
        cmd := exec.Command(name, arg...)
        cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
        cmd.Env = fetchEnvironment()
        return newCmd(cmd)
    }

If the attacker places a malicious executable file in the repository (which must be named either, git.bat, git.exe or git.cmd) when the repository gets cloned the malicous file gets executed instead of the original git binary located in a trusted path.

This can lead to priviliged access and take over of the windows host that gets tricked into cloning the malicious repo. Definitely worth patching although due to the level of user interaction required (they have to preform the clone) I would say the exploitability rating is quite low dispite having a CVSS score of 9.8

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
exploit
Utility Class
rce
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Dawid Golunski
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • git large file storage project

Products

  • git large file storage 2.12.0
Technical Analysis