This module exploits CVE-2018-17456, which affects Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower. When a submodule url which starts with a dash e.g "-u./payload" is passed as an argument to git clone, the file "payload" inside the repository is executed. This module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialised (e.g git clone --recurse-submodules URL)

Module Name

exploit/multi/http/git_submodule_url_exec

Authors

• timwr

References

• CVE-2018-17456
• URL: https://marc.info/?l=git&m=153875888916397&w=2
• URL: https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6
• URL: https://blog.github.com/2018-10-05-git-submodule-vulnerability

Targets

• Automatic

Platforms

• unix

Architectures

• cmd

Reliability

• Excellent

Development

• Source Code
• History

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

Related Vulnerabilities

• Alpine Linux: CVE-2018-17456: Git RCE vulnerability regarding submodules
• Debian: CVE-2018-17456: git -- security update
• Huawei EulerOS: CVE-2018-17456: git security update
• Oracle Solaris 11: CVE-2018-17456: Vulnerability in Git