High
CVE-2020-27955 — Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE)
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-27955 — Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE)
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Git LFS 2.12.0 allows Remote Code Execution.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityVery Low
Technical Analysis
Git Large File Storage or Git LFS is an open source extention used to store large files outside of the git repository. Git LFS stores the large file on a remote server while storing a pointer to the file in the repo.
Git LFS (git-lfs) versions <= 2.12 has a vulnerability that allows remote attackers to execute arbitrary code on the victim’s Windows system if the victim clones the attacker’s repository which makes use of git-lfs.
Git LFS does not specify the full path to the git binary when spawning a new git process as via the following ExecCommand() function:
subprocess/subprocess_windows.go
:
func ExecCommand(name string, arg ...string) *Cmd { cmd := exec.Command(name, arg...) cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} cmd.Env = fetchEnvironment() return newCmd(cmd) }
If the attacker places a malicious executable file in the repository (which must be named either, git.bat, git.exe or git.cmd) when the repository gets cloned the malicous file gets executed instead of the original git binary located in a trusted path.
This can lead to priviliged access and take over of the windows host that gets tricked into cloning the malicious repo. Definitely worth patching although due to the level of user interaction required (they have to preform the clone) I would say the exploitability rating is quite low dispite having a CVSS score of 9.8
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- git large file storage project
Products
- git large file storage 2.12.0
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: