Summary
When looking for Git for Windows so it can run it to report its paths, gix-path
can be tricked into running another git.exe
placed in an untrusted location by a limited user account.
Details
Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While gix-path
first looks for git
using a PATH
search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:
https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14
Existing functions, as well as the newly introduced exe_invocation
function, were updated to make use of these alternative locations. This causes facilities in gix_path::env
to directly execute git.exe
in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it.
Although unusual setups where the system drive is not C:
, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no C:\Program Files (x86)
directory.
A limited user on a 32-bit Windows system can therefore create the C:\Program Files (x86)
directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses gix-path
and do not have git
in a PATH
directory.
(While having git
found in a PATH
search prevents exploitation, merely having it installed in the default location under the real C:\Program Files
directory does not. This is because the first hard-coded path's mingw64
component assumes a 64-bit installation.)
PoC
On a 32-bit (x86) Windows 10 system, with or without Git for Windows installed:
- Create a limited user account in
lusrmgr.msc
or the Settings application.
- Log in with that account and, using Windows Explorer or the
mkdir
command in PowerShell, create the directories C:\Program Files (x86)\Git\mingw32\bin
. Although a limited user account cannot create regular files directly in C:\
, it can create directories including one called Program Files (x86)
.
- Place a copy of
C:\Windows\system32\calc.exe
in C:\Program Files (x86)\Git\mingw32\bin
and rename it from calc.exe
to git.exe
. A different test payload may be used if preferred, and the executable need not already be signed or trusted.
- Log out, and log in as a different user. This user may be an administrator.
- If
gitoxide
is not installed, install it. If cargo install gitoxide
is used for the installation, then the version of gix-path
used in the installation can be observed.
- The vulnerability is only exploitable if
git
cannot be found in a PATH
search. So, in PowerShell, run gcm git
to check if git
is present in the PATH
. If so, temporarily remove it. One way to do this is for the current shell only, by running $env:PATH
to inspect it and by assigning $env:PATH = '...'
where ...
omits directories that contain git
.
- Some commands that can be run outside a repository, and most commands that can be run inside a repository, will run the Calculator or other payload at least once per invocation. Try
gix clone foo
or, inside of a repository, gix status
, gix config
, gix is-changed
, gix fetch
, ein t hours
, or ein t query
. This is not exhaustive; most other gix
and ein
commands that access existing repository state or a network resource likewise run the payload.
Impact
Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses gix-path
and must not have git
in its PATH
.
The main exploitable configuration is one where Git for Windows has been installed but not added to PATH
. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its PATH
to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a PATH
in which the real git.exe
can be found, then this cannot be exploited.
This vulnerability is comparable to CVE-2022-24765, in which an uncontrolled path like C:\.git\config
, which a limited user can create, could supply configuration used by other users. However, in this case, exploitation is slightly simpler because, rather than using configuration, an executable is directly run.
Summary
When looking for Git for Windows so it can run it to report its paths,
gix-path
can be tricked into running anothergit.exe
placed in an untrusted location by a limited user account.Details
Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While
gix-path
first looks forgit
using aPATH
search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories:https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14
Existing functions, as well as the newly introduced
exe_invocation
function, were updated to make use of these alternative locations. This causes facilities ingix_path::env
to directly executegit.exe
in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it.Although unusual setups where the system drive is not
C:
, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has noC:\Program Files (x86)
directory.A limited user on a 32-bit Windows system can therefore create the
C:\Program Files (x86)
directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that usesgix-path
and do not havegit
in aPATH
directory.(While having
git
found in aPATH
search prevents exploitation, merely having it installed in the default location under the realC:\Program Files
directory does not. This is because the first hard-coded path'smingw64
component assumes a 64-bit installation.)PoC
On a 32-bit (x86) Windows 10 system, with or without Git for Windows installed:
lusrmgr.msc
or the Settings application.mkdir
command in PowerShell, create the directoriesC:\Program Files (x86)\Git\mingw32\bin
. Although a limited user account cannot create regular files directly inC:\
, it can create directories including one calledProgram Files (x86)
.C:\Windows\system32\calc.exe
inC:\Program Files (x86)\Git\mingw32\bin
and rename it fromcalc.exe
togit.exe
. A different test payload may be used if preferred, and the executable need not already be signed or trusted.gitoxide
is not installed, install it. Ifcargo install gitoxide
is used for the installation, then the version ofgix-path
used in the installation can be observed.git
cannot be found in aPATH
search. So, in PowerShell, rungcm git
to check ifgit
is present in thePATH
. If so, temporarily remove it. One way to do this is for the current shell only, by running$env:PATH
to inspect it and by assigning$env:PATH = '...'
where...
omits directories that containgit
.gix clone foo
or, inside of a repository,gix status
,gix config
,gix is-changed
,gix fetch
,ein t hours
, orein t query
. This is not exhaustive; most othergix
andein
commands that access existing repository state or a network resource likewise run the payload.Impact
Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses
gix-path
and must not havegit
in itsPATH
.The main exploitable configuration is one where Git for Windows has been installed but not added to
PATH
. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes itsPATH
to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured aPATH
in which the realgit.exe
can be found, then this cannot be exploited.This vulnerability is comparable to CVE-2022-24765, in which an uncontrolled path like
C:\.git\config
, which a limited user can create, could supply configuration used by other users. However, in this case, exploitation is slightly simpler because, rather than using configuration, an executable is directly run.