来源

关联漏洞

介绍

# CVE-2021-21300: Arbitrary Code Execution via Malicious Git Hooks

## 📌 Summary

CVE-2021-21300 is a critical vulnerability in Git (versions 2.14.2 to 2.30.1) that allows attackers to execute arbitrary code on victim machines by exploiting symbolic links and case-insensitive file systems.

---

## 🧠 Problem Statement

- **Vulnerability**: Arbitrary code execution via malicious Git hooks.
- **Root Cause**: Case-insensitive filesystems (e.g., Windows/macOS) resolve `A/post-checkout` as `.git/hooks/post-checkout`.
- **Impact**: Attackers can inject and execute malicious hooks when a user clones the infected repository.

---

## 🔍 Theoretical Background

### The Trick

Git allows user-defined hooks stored in `.git/hooks/`. On case-insensitive file systems:
- A crafted folder like `A/post-checkout` may be interpreted as `.git/hooks/post-checkout`.
- A symbolic link replaces `A/` with `.git/hooks/`, bypassing restrictions.

### The Exploit

1. Create directory `A` and a file `A/post-checkout` containing malicious commands.
2. Stage the directory and its contents for Git.
3. Remove the directory and replace `A` with a symlink to `.git/hooks/`.
4. When Git executes `A/post-checkout`, it actually runs the malicious file in `.git/hooks/`.

---

## ⚠️ Trigger Conditions

- Case-insensitive filesystem (Windows/macOS).
- Symbolic link to `.git/hooks/`.
- Global Git LFS filters enabled.
- Victim has permission to execute malicious code.

---

## 🛠️ Attack Workflow

### Malicious Repo Generation
- Create `.gitattributes` to trigger LFS processing of `A/post-checkout`.
- Add a malicious script `A/post-checkout` (e.g., prints "PWNED").
- Add fake files `A/a`, `A/b` to make it look legitimate.
- Replace `A/` with symlink to `.git/hooks/`.
- Commit and push the changes.

---

## 🛡 Existing Defenses

### Configuration-Based
- Disable symbolic link following:
  ```sh
  git clone -c core.symlinks=true
  git config --system core.symlinks true
##💡 **Other Potential Defenses**
- Automate Safe Cloning with Git Alias
- Make directory.
- Enable case sensitivity (Windows):
  ```sh
  fsutil file setcasesensitiveinfo <DESTINATION FOLDER> enable
- Clone into that directory.

- Create a Git alias to automate these steps for safer cloning.

文件快照

 [4.0K]  /data/pocs/5e9e2dd7d4686c6f04bface7d5d827b7c0afe858
├── [  10]  a -> .git/hooks
├── [4.0K]  A
│   ├── [   0]  a
│   ├── [   0]  b
│   └── [  26]  post-checkout
└── [2.2K]  README.md

2 directories, 4 files

备注