second vuln

doc/bugs/security_hole_private_data_exposure_via_addurl.mdwn

@@ -123,30 +123,34 @@ git-annex's url downloading.
 > to see if they used GETURLS. ipfs did, but not in an exploitable way.
 > datalad does; looped in its developers to asess. Rest appear not to.
 
-> TODO document this security issue in special remote protocol page
-
 An external special remote might also make a simple http request to a
 key/value API to download a key, and follow a redirect to file:///
 or http://localhost/.
 
 If the key uses a cryptographic hash, git-annex verifies the content. 
 But, the attacker could have committed a key that doesn't
-use a hash. Also, the attacker could use the hash check as an oracle.
+use a hash. Also, the attacker could use the hash check as an oracle,
+to guess at the content of files.
 
-What if an external special remote uses https to a hardcoded server (either
+If the external special remote is encrypted, the http content is passed
-fully hardcoded, or configured by the user when they enable the remote),
+though gpg. So, whatever location an attacker redirects it to would also
-and uses a http library that only supports https and http (not file:///).
+have to be encrypted. gpg is not told what encryption key the content is
-Is that good enough? An attacker would need to either compromise the server
+expected to be encrypted with. (Could it be told somehow for hybrid and
-to redirect to a local private webserver, or MITM, and https should prevent
+shared encryption which key to use? pubkey encryption of course uses
-the MITM.
+the regular gpg public key). 
 
-This seems to require auditing of all external special remotes.
+So if the attacker knows a file that the user has encrypted with any of
-git-annex could add a new command to the external protocol, that asks
+their gpg keys, they can provide that file, and hope it will be decrypted.
-the special remote if it's been audited, and refuse to use ones that have
+Note that this does not need a redirect to a local file or web server; the
-not.
+attacker can make their web server serve up a gpg encrypted file.
 
-I have emailed all relevant external special remote authors a heads-up and
+So, content downloaded from encrypted special remotes (both internal and
-some questions.
+external) must be rejected unless it can be verified with a hash. Then
+content using WORM and URL keys would not be able to be downloaded from
+them. Might as well also require a hash check for non-encrypted external
+special remotes, to block the redirection attack. There could be a config
+setting to say that the git-annex repository is not being shared with
+untrusted third parties, and relax that check.
 
 > TODO
 

doc/security/CVE-2018-10857.mdwn

@@ -1,24 +1,42 @@
 CVE-2018-10857: Some uses of git-annex were vulnerable to a private data
 exposure and exfiltration attack. It could expose the content of files
 located outside the git-annex repository, or content from a private web
-server on localhost or the LAN.
+server on localhost or the LAN. Joey Hess discovered this attack.
+
+Additionally, git-annex encrypted special remotes could be leveraged
+by an attacker to decrypt files that were encrypted to the user's gpg
+key. This attack could be used to expose encrypted data that was never
+stored in git-annex. Daniel Dent discovered this attack in collaboration
+with Joey Hess.
 
 This was fixed in git-annex 6.20180622.
 
 ## details
 
-The attacker needed to have control over one of the remotes of the git-annex
+The attacker needs to have control over one of the remotes of the git-annex
 repository. For example, they may provide a public git-annex repository that
 the victim clones. Or the victim may have paired repositories with them. Or,
 equivilantly, the attacker could have read access to the victim's git-annex
 repository (eg on a server somewhere), and some channel to get commits into it
 (eg a pull requests).
 
-The attacker does `git-annex addurl --relaxed file:///etc/passwd` and commits
+To perform the private data and exfiltration attack, the attacker
-this to the repository in some out of the way place. Then they wait for the
+runs `git-annex addurl --relaxed file:///etc/passwd` and commits this to
-victim to pull the change. (As well as `file:///` urls, the attacker can
+the repository in some out of the way place. Then they wait for the victim
-use urls to private web servers. The url can also be one that the attacker
+to pull the change. (As well as `file:///` urls, the attacker can use urls
-controls, that redirects to such urls.)
+to private web servers. The url can also be one that the attacker controls,
+that redirects to such urls.)
+
+To perform the gpg decryption attack, the attacker also needs to have
+control of an encrypted special remote of the victim's git-annex
+repository. The attacker uses `git annex addurl --relaxed` with
+an innocuous url, and waits for the user's git-annex to download it,
+and upload an (encrypted) copy to the special remote they also control.
+At a later point, when the user downloads the content from the special
+remote, the attacker instead sends them the content of a gpg encrypted
+file they wish to have decrypted in its place. Finally, the attacker
+drops their own copy of the original innocuous url, and waits for the user
+to send them the decrypted form of the file they earlier sent.
 
 The easiest exploit is when the victim is running the git-annex assistant, or
 is periodically doing `git annex sync --content`. The victim may also perform