diff options
Diffstat (limited to 'doc/bugs/dashed_ssh_hostname_security_hole.mdwn')
-rw-r--r-- | doc/bugs/dashed_ssh_hostname_security_hole.mdwn | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/doc/bugs/dashed_ssh_hostname_security_hole.mdwn b/doc/bugs/dashed_ssh_hostname_security_hole.mdwn new file mode 100644 index 000000000..3afe367ac --- /dev/null +++ b/doc/bugs/dashed_ssh_hostname_security_hole.mdwn @@ -0,0 +1,25 @@ +git-annex was vulnerable to the same class of security hole as +git's CVE-2017-1000117. In several cases, git-annex parses a repository +url, and uses it to generate a ssh command, with the hostname to ssh to +coming from the url. If the hostname it parses is something like +"-eProxyCommand=evil", this could result in arbitrary local code execution +via ssh. + +I have not bothered to try to exploit the problem, and some details of URL +parsing may prevent the exploit working in some cases. + +Exploiting this would involve the attacker tricking the victim into adding +a remote something like "ssh://-eProxyCommand=evil/blah". + +One possible avenue for an attacker that avoids exposing the URL to the +user is to use initremote with a ssh remote, so embedding the URL in the +git-annex branch. Then the victim would enable it with enableremote. + +This was fixed in version 6.20170818. Now there's a SshHost type that +is not allowed to start with a dash, and every invocation of git-annex is +in a function that takes a SshHost. + +[[done]] + +--[[Joey]] + |