We’ve always been a fans of wargames. Not the movie (well, likewise the movie) however I’m referring to hacking wargames. There are a number of styles however usually you have gain access to to an preliminary shell account somewhere, which is level0, as well as you have to exploit some flaw in the system to handle to get level1 permissions as well as so forth. almost always there’s a level where you have to exploit a legitimate binary (with some shady permissions) that does more than what the routine individual thinks.
In the situation of CVE-2017-8386, less is more.
[Timo Schmid] details exactly how the git-shell, a restricted shell meant to be utilized as the upstream peer in a git remote session over a ssh tunnel, can be abused in order to accomplish arbitrary data read, directory listing as well as somewhat restricted data write. The git-shell fundamental concept is to restrict the enabled commands in an ssh session to the ones needed by git (git-receive-pack, git-upload-pack, git-upload-archive). The researcher realized he might pass parameters to these commands, like the flag –help:
1
2
3
4
5
6
7
$ ssh git@remoteserver “git-receive-pack ‘–help'”
GIT-RECEIVE-PACK(1) Git Manual GIT-RECEIVE-PACK(1)
NOM
git-receive-pack – get what is pushed into the repository
[…]
What the flag does is make the git command open the guy page of git, which is passed on to a pager program, usually less. as well as this is where it get interesting. The less command, if running interactively, can do a number of things you would expect like searching for text, go to a line number, scroll down as well as so on. What it can likewise do is open a new data (:e), save the input to a data (s) as well as execute commands (!). To make it run interactively, you have to force the allocation of a PTY in ssh like so:
1
2
3
4
5
6
7
8
9
$ ssh -t git@remoteserver “git-receive-pack ‘–help'”
GIT-RECEIVE-PACK(1) Git handbook GIT-RECEIVE-PACK(1)
NOM
git-receive-pack – get what is pushed into the repository
Manual page git-receive-pack(1) line 1 (press h for assist or q to quit)
Press h for assist as well as have fun. One caveat is that usual installations the code execution will not truly execute arbitrary commands, since the present running login shell is the git-shell, restricted to only some white listed commands. There are, however, specific configurations where this may happen, such as preserving bash or sh as a login shell as well as limit the individual in methods that they can only utilize git (such as in shared environments without root access). You can see such example here.
The quickest solution seems to be to allow the no-pty flag server-side, in the sshd configuration. This avoids clients from requesting a PTY so less won’t run in an interactive mode.
1
2
3
4
5
6
$ guy less
LESS(1) general Commands handbook LESS(1)
NOM
less – opposite of more
Ironic, isn’t it?