Summary

On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.

Details

It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:

• In references, gix-ref does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
• In paths, gix-worktree-state does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.

Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:

• Reading a ref whose last component (e.g., tag name) is CON or CONIN$ reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
• Checking out a file named CON or CONOUT$ writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.

Another potentially important case is serial ports. For example, COM1 refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.

Naming Files, Paths, and Namespaces covers most reserved names. CONIN$ and CONOUT$ are also special, and are similar in effect to CON but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt is equivalent to CON) and with some variations involving added spaces or colons.

PoC

Ref example

Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON to create a lightweight tag named CON. Place the repository somewhere it can be cloned on Windows. A file:// URL is sufficient for testing if a private remote is unavailable. If using git push, pass --tags so the remote has the tag.

On a Windows system, clone the repository with gix clone. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with Ctrl+C.

However, if desired, input can be provided. Ending input with Ctrl+Z followed by Enter will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.

Path example

Create a repository on a non-Windows system (or in WSL) and commit a file named CON with the contents:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!

While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file:// URL is sufficient.

On a Windows system, clone the repository with gix clone. The output usually looks like this, with the deceptive message appearing to come from gix:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
 04:45:15     Resolving done 3.0 objects in 0.05s (58.0 objects/s)
 04:45:15      Decoding done 309B in 0.05s (6.0KB/s)
 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
 04:45:15  create index file done 3.0 objects in 0.05s (55.0 objects/s)
 04:45:15          read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype

Caused by:
    Incorrect function. (os error 1)

The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error: line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.

Impact

If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.

The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.

For attacks using the CON or CONOUT$ device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix appears to recommend it. The user may then be misled into running an attacker's command.

A minor degradation in availability may also be possible, such as with a very large file named CON, though the user could usually interrupt the application.

Summary

When looking for Git for Windows so it can run it to report its paths, gix-path can be tricked into running another git.exe placed in an untrusted location by a limited user account.

Details

Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While gix-path first looks for git using a PATH search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:

/// Other places to find Git in.
#[cfg(windows)]
pub(super) static ALTERNATIVE_LOCATIONS: &[&str] = &[
    "C:/Program Files/Git/mingw64/bin",
    "C:/Program Files (x86)/Git/mingw32/bin",
];

Existing functions, as well as the newly introduced exe_invocation function, were updated to make use of these alternative locations. This causes facilities in gix_path::env to directly execute git.exe in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it.

Although unusual setups where the system drive is not C:, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no C:\Program Files (x86) directory.

A limited user on a 32-bit Windows system can therefore create the C:\Program Files (x86) directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses gix-path and do not have git in a PATH directory.

(While having git found in a PATH search prevents exploitation, merely having it installed in the default location under the real C:\Program Files directory does not. This is because the first hard-coded path's mingw64 component assumes a 64-bit installation.)

PoC

On a 32-bit (x86) Windows 10 system, with or without Git for Windows installed:

1. Create a limited user account in lusrmgr.msc or the Settings application.
2. Log in with that account and, using Windows Explorer or the mkdir command in PowerShell, create the directories C:\Program Files (x86)\Git\mingw32\bin. Although a limited user account cannot create regular files directly in C:\, it can create directories including one called Program Files (x86).
3. Place a copy of C:\Windows\system32\calc.exe in C:\Program Files (x86)\Git\mingw32\bin and rename it from calc.exe to git.exe. A different test payload may be used if preferred, and the executable need not already be signed or trusted.
4. Log out, and log in as a different user. This user may be an administrator.
5. If gitoxide is not installed, install it. If cargo install gitoxide is used for the installation, then the version of gix-path used in the installation can be observed.
6. The vulnerability is only exploitable if git cannot be found in a PATH search. So, in PowerShell, run gcm git to check if git is present in the PATH. If so, temporarily remove it. One way to do this is for the current shell only, by running $env:PATH to inspect it and by assigning $env:PATH = '...' where ... omits directories that contain git.
7. Some commands that can be run outside a repository, and most commands that can be run inside a repository, will run the Calculator or other payload at least once per invocation. Try gix clone foo or, inside of a repository, gix status, gix config, gix is-changed, gix fetch, ein t hours, or ein t query. This is not exhaustive; most other gix and ein commands that access existing repository state or a network resource likewise run the payload.

Impact

Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses gix-path and must not have git in its PATH.

The main exploitable configuration is one where Git for Windows has been installed but not added to PATH. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its PATH to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a PATH in which the real git.exe can be found, then this cannot be exploited.

This vulnerability is comparable to CVE-2022-24765, in which an uncontrolled path like C:\.git\config, which a limited user can create, could supply configuration used by other users. However, in this case, exploitation is slightly simpler because, rather than using configuration, an executable is directly run.