Signature Detail

APP: Git Submodules Directory Traversal Code Execution

This signature detects directory traversal attempts on Git Client. Successful attack attempts could allow attacker to execute arbitrary scripts on the targeted system.

Extended Description

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Affected Products

• Canonical ubuntu_linux 14.04
• Canonical ubuntu_linux 16.04
• Canonical ubuntu_linux 17.10
• Canonical ubuntu_linux 18.04
• Debian debian_linux 8.0
• Debian debian_linux 9.0
• Gitforwindows git 2.17.1
• Git-scm git 2.13.6
• Git-scm git 2.14.0
• Git-scm git 2.14.1
• Git-scm git 2.14.2
• Git-scm git 2.14.3
• Git-scm git 2.15.0
• Git-scm git 2.15.1
• Git-scm git 2.16.0
• Git-scm git 2.16.1
• Git-scm git 2.16.2
• Git-scm git 2.16.3
• Git-scm git 2.17.0
• Redhat enterprise_linux 7.0
• Redhat enterprise_linux_desktop 7.0
• Redhat enterprise_linux_server 7.0
• Redhat enterprise_linux_server_eus 7.5
• Redhat enterprise_linux_workstation 7.0

References

• BugTraq: 104345
• CVE: CVE-2018-11235
• URL: https://marc.info/?l=git&m=152761328506724&w=2