Skip to content

gix refs and paths with reserved Windows device names access the devices

Moderate severity GitHub Reviewed Published May 22, 2024 in GitoxideLabs/gitoxide • Updated Aug 5, 2024

Package

cargo gitoxide (Rust)

Affected versions

< 0.36.0

Patched versions

0.36.0
cargo gitoxide-core (Rust)
< 0.38.0
0.38.0
cargo gix (Rust)
< 0.63.0
0.63.0
cargo gix-index (Rust)
< 0.33.0
0.33.0
cargo gix-ref (Rust)
< 0.44.0
0.44.0
cargo gix-worktree (Rust)
< 0.34.0
0.34.0
cargo gix-worktree-state (Rust)
< 0.11.0
0.11.0

Description

Summary

On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.

Details

It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:

  • In references, gix-ref does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
  • In paths, gix-worktree-state does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.

Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:

  • Reading a ref whose last component (e.g., tag name) is CON or CONIN$ reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
  • Checking out a file named CON or CONOUT$ writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.

Another potentially important case is serial ports. For example, COM1 refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.

Naming Files, Paths, and Namespaces covers most reserved names. CONIN$ and CONOUT$ are also special, and are similar in effect to CON but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt is equivalent to CON) and with some variations involving added spaces or colons.

PoC

Ref example

Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON to create a lightweight tag named CON. Place the repository somewhere it can be cloned on Windows. A file:// URL is sufficient for testing if a private remote is unavailable. If using git push, pass --tags so the remote has the tag.

On a Windows system, clone the repository with gix clone. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with Ctrl+C.

However, if desired, input can be provided. Ending input with Ctrl+Z followed by Enter will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.

Path example

Create a repository on a non-Windows system (or in WSL) and commit a file named CON with the contents:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!

While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file:// URL is sufficient.

On a Windows system, clone the repository with gix clone. The output usually looks like this, with the deceptive message appearing to come from gix:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
 04:45:15     Resolving done 3.0 objects in 0.05s (58.0 objects/s)
 04:45:15      Decoding done 309B in 0.05s (6.0KB/s)
 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
 04:45:15  create index file done 3.0 objects in 0.05s (55.0 objects/s)
 04:45:15          read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype

Caused by:
    Incorrect function. (os error 1)

The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error: line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.

Impact

If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.

The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.

For attacks using the CON or CONOUT$ device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix appears to recommend it. The user may then be misled into running an attacker's command.

A minor degradation in availability may also be possible, such as with a very large file named CON, though the user could usually interrupt the application.

References

@Byron Byron published to GitoxideLabs/gitoxide May 22, 2024
Published to the GitHub Advisory Database May 22, 2024
Reviewed May 22, 2024
Published by the National Vulnerability Database May 23, 2024
Last updated Aug 5, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction Active
Vulnerable System Impact Metrics
Confidentiality None
Integrity Low
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None

CVSS v4 base metrics

Exploitability Metrics
Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.
Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.
Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.
Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
Vulnerable System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
Subsequent System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-35197

GHSA ID

GHSA-49jc-r788-3fc9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.