second vuln
This commit is contained in:
Joey Hess
parent
923578ad78
commit
c5166b56af
2 changed files with 44 additions and 22 deletions
|
|
@ -1,24 +1,42 @@
|
|||
CVE-2018-10857: Some uses of git-annex were vulnerable to a private data
|
||||
exposure and exfiltration attack. It could expose the content of files
|
||||
located outside the git-annex repository, or content from a private web
|
||||
server on localhost or the LAN.
|
||||
server on localhost or the LAN. Joey Hess discovered this attack.
|
||||
|
||||
Additionally, git-annex encrypted special remotes could be leveraged
|
||||
by an attacker to decrypt files that were encrypted to the user's gpg
|
||||
key. This attack could be used to expose encrypted data that was never
|
||||
stored in git-annex. Daniel Dent discovered this attack in collaboration
|
||||
with Joey Hess.
|
||||
|
||||
This was fixed in git-annex 6.20180622.
|
||||
|
||||
## details
|
||||
|
||||
The attacker needed to have control over one of the remotes of the git-annex
|
||||
The attacker needs to have control over one of the remotes of the git-annex
|
||||
repository. For example, they may provide a public git-annex repository that
|
||||
the victim clones. Or the victim may have paired repositories with them. Or,
|
||||
equivilantly, the attacker could have read access to the victim's git-annex
|
||||
repository (eg on a server somewhere), and some channel to get commits into it
|
||||
(eg a pull requests).
|
||||
|
||||
The attacker does `git-annex addurl --relaxed file:///etc/passwd` and commits
|
||||
this to the repository in some out of the way place. Then they wait for the
|
||||
victim to pull the change. (As well as `file:///` urls, the attacker can
|
||||
use urls to private web servers. The url can also be one that the attacker
|
||||
controls, that redirects to such urls.)
|
||||
To perform the private data and exfiltration attack, the attacker
|
||||
runs `git-annex addurl --relaxed file:///etc/passwd` and commits this to
|
||||
the repository in some out of the way place. Then they wait for the victim
|
||||
to pull the change. (As well as `file:///` urls, the attacker can use urls
|
||||
to private web servers. The url can also be one that the attacker controls,
|
||||
that redirects to such urls.)
|
||||
|
||||
To perform the gpg decryption attack, the attacker also needs to have
|
||||
control of an encrypted special remote of the victim's git-annex
|
||||
repository. The attacker uses `git annex addurl --relaxed` with
|
||||
an innocuous url, and waits for the user's git-annex to download it,
|
||||
and upload an (encrypted) copy to the special remote they also control.
|
||||
At a later point, when the user downloads the content from the special
|
||||
remote, the attacker instead sends them the content of a gpg encrypted
|
||||
file they wish to have decrypted in its place. Finally, the attacker
|
||||
drops their own copy of the original innocuous url, and waits for the user
|
||||
to send them the decrypted form of the file they earlier sent.
|
||||
|
||||
The easiest exploit is when the victim is running the git-annex assistant, or
|
||||
is periodically doing `git annex sync --content`. The victim may also perform
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue