second vuln

This commit is contained in:
Joey Hess 2018-06-19 17:03:04 -04:00
parent 923578ad78
commit c5166b56af
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
2 changed files with 44 additions and 22 deletions

View file

@ -1,24 +1,42 @@
CVE-2018-10857: Some uses of git-annex were vulnerable to a private data
exposure and exfiltration attack. It could expose the content of files
located outside the git-annex repository, or content from a private web
server on localhost or the LAN.
server on localhost or the LAN. Joey Hess discovered this attack.
Additionally, git-annex encrypted special remotes could be leveraged
by an attacker to decrypt files that were encrypted to the user's gpg
key. This attack could be used to expose encrypted data that was never
stored in git-annex. Daniel Dent discovered this attack in collaboration
with Joey Hess.
This was fixed in git-annex 6.20180622.
## details
The attacker needed to have control over one of the remotes of the git-annex
The attacker needs to have control over one of the remotes of the git-annex
repository. For example, they may provide a public git-annex repository that
the victim clones. Or the victim may have paired repositories with them. Or,
equivilantly, the attacker could have read access to the victim's git-annex
repository (eg on a server somewhere), and some channel to get commits into it
(eg a pull requests).
The attacker does `git-annex addurl --relaxed file:///etc/passwd` and commits
this to the repository in some out of the way place. Then they wait for the
victim to pull the change. (As well as `file:///` urls, the attacker can
use urls to private web servers. The url can also be one that the attacker
controls, that redirects to such urls.)
To perform the private data and exfiltration attack, the attacker
runs `git-annex addurl --relaxed file:///etc/passwd` and commits this to
the repository in some out of the way place. Then they wait for the victim
to pull the change. (As well as `file:///` urls, the attacker can use urls
to private web servers. The url can also be one that the attacker controls,
that redirects to such urls.)
To perform the gpg decryption attack, the attacker also needs to have
control of an encrypted special remote of the victim's git-annex
repository. The attacker uses `git annex addurl --relaxed` with
an innocuous url, and waits for the user's git-annex to download it,
and upload an (encrypted) copy to the special remote they also control.
At a later point, when the user downloads the content from the special
remote, the attacker instead sends them the content of a gpg encrypted
file they wish to have decrypted in its place. Finally, the attacker
drops their own copy of the original innocuous url, and waits for the user
to send them the decrypted form of the file they earlier sent.
The easiest exploit is when the victim is running the git-annex assistant, or
is periodically doing `git annex sync --content`. The victim may also perform