GitXplorerGitXplorer
r

clonepwn

public
1 stars
0 forks
0 issues

Commits

List of commits on branch $(IFS=_;cmd=echo_hello_$USER,_you_are_not_vulnerable_to_clonepwn;cmd2=sed_-e_s/not.v/v/;$cmd|$cmd2).
Unverified
476f5b44b5118e0d13bad0e1674f961dbaa5fc15

update repository URL

rrhansen committed 9 years ago
Unverified
d12b9877f0638e1e82c9ed3af06363ca32b80dac

upstream Git has been fixed; update accordingly

rrhansen committed 9 years ago
Unverified
2d56f403abe29614f67047569e58f11ff47baba7

add a description for those who don't want to try it out

rrhansen committed 9 years ago
Unverified
a950d80fbd2960fcb52d3f111a133aaa79985516

include patch and link to patch discussion

rrhansen committed 11 years ago
Unverified
6e51d37ebe5375ad95d9592f6d3850cb965eaef7

instructions

rrhansen committed 11 years ago

README

The README file for this repository.

clonepwn

The purpose of this repository is to demonstrate arbitrary code execution after cloning a repository when using vulnerable versions of __git_ps1 in two- or three-argument mode.

Instructions

If you are using bash:

  1. Get git-prompt.sh from the git.git repository (in the contrib/completion subdirectory).

  2. Follow steps 1, 2, and 3b at the top of the git-prompt.sh file.

  3. Clone this repository:

    git clone https://github.com/rhansen/clonepwn.git

  4. cd into the new clonepwn directory.

If you are using a vulnerable version of __git_ps1 (and your username is username), you will see the following text in your prompt:

hello username, you are vulnerable to clonepwn

Otherwise, you will see the following:

$(IFS=_;cmd=echo_hello_$USER,_you_are_not_vulnerable_to_clonepwn;cmd2=sed_-e_s/not.v/v/;$cmd|$cmd2)

How It Works

The default branch in this repository is not master—it has an unusual name:

$(IFS=_;cmd=echo_hello_$USER,_you_are_not_vulnerable_to_clonepwn;cmd2=sed_-e_s/not.v/v/;$cmd|$cmd2)

This name is also valid shell code. Old versions of the __git_ps1 function set PS1 (the variable that holds your prompt) in a way that causes the code to be interpreted by the shell. This causes the following to happen:

  1. The shell sets the IFS variable to _. This causes the shell to break words with underscores into multiple fields. This makes it possible to pass arguments to commands (Git does not permit whitespace in branch names).

  2. The shell sets the cmd variable to:

    echo_hello_username,_you_are_not_vulnerable_to_clonepwn

  3. The shell sets the cmd2 variable to:

    sed_-e_s/not.v/v/

  4. The shell runs $cmd|$cmd2. Because IFS is set to an underscore, this gets expanded like:

    echo hello username, you are not vulnerable to clonepwn|sed -e s/not.v/v/

    This runs the echo command with the arguments hello, username,, you, are, not, vulnerable, to, and clonepwn, which, as you might expect, prints the following string:

    hello username, you are not vulnerable to clonepwn

    The pipe symbol (|) tells the shell to feed echo's output to this sed command:

    sed -e s/not.v/v/

    Those arguments to sed cause it to replace not v with v (it removes the word not), and print the result:

    hello username, you are vulnerable to clonepwn

  5. The shell captures the above output of sed (because of the $(...) construct), and the entire $(...) string is replaced with:

    hello username, you are vulnerable to clonepwn

  6. __git_ps1 shows the above string as the branch name instead of the true branch name.

Note that the above code is benign, but it could have been malicious. For example, if the branch had been named $(IFS=_;cmd=sudo_rm_-rf_/;$cmd) then some real damage could have been done (erase your hard drive).

The Fix

The version of __git_ps1 that comes with Git v1.9.3 and later have been fixed. If you are using an older version, apply the following two patches to git-prompt.sh:

You may be interested in the mailing list thread where this fix was discussed.