Listen to this Post
The vulnerability in Git LFS arises from improper handling of symbolic and hard links during checkout and pull operations. When the `git lfs checkout` or `git lfs pull` commands populate the working tree with Large File Storage (LFS) objects, they did not adequately check for existing symbolic links. If an attacker places a symbolic link in the repository that collides with the path of a file tracked by Git LFS, the command would unsafely write the LFS object’s content through the link. This could overwrite any file on the filesystem that the user running the command has permission to modify, leading to arbitrary file write. In a bare repository scenario, a specific sequence could also lead to files being written outside the repository’s designated area. The patch introduces security checks identical to Git’s own symlink verification and ensures files are removed before being rewritten, preventing the traversal.
Platform: Git LFS
Version: 0.5.2 – 3.7.0
Vulnerability: Arbitrary File Write
Severity: Critical
date: 2023-08-28
Prediction: 2023-08-28 (Patched)
What Undercode Say:
find . -type l -ls git lfs checkout git lfs pull git config core.symlinks false
Example malicious symlink creation ln -s /etc/passwd ./malicious-link.dat
How Exploit:
Create malicious symlinks.
Wait for victim’s `git lfs pull`.
Overwrites targeted files.
Protection from this CVE
Upgrade to v3.7.1.
Disable core.symlinks.
Audit for existing symlinks.
Impact:
Arbitrary file overwrite.
Potential code execution.
Security bypass.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
