A proof-of-concept of a vulnerability in custom shell prompt scripts (github.com)
A proof-of-concept of a vulnerability in custom shell prompt scripts





The "official" git prompt[1] is safe on Bash; the script doesn't run.

[1]: https://github.com/git/git/blob/master/contrib/completion/gi...

In particular see the long comment at line 324.

> If the shell would expand the contents of PS1 when drawing the prompt, a raw ref name must not be included in PS1. This protects the user from arbitrary code execution via specially crafted ref names. For example, a ref named 'refs/heads/$(IFS=_;cmd=sudo_rm_-rf_/;$cmd)' might cause the shell to execute 'sudo rm -rf /' when the prompt is drawn.

[1]: https://github.com/git/git/blob/9d77b0405ce6b471cb5ce3a90436...

Nothing gets past Linus

That code appears to be written by someone named Richard Hansen. I don't even see Linus in the git blame output of that file.

Tab autocompletion looks to be affected too, at least on my system. Create a branch called 'complete_$(./foo)'. Then type 'git checkout comp<TAB>'. This gets autocompleted to

    git checkout complete_$(./foo)
If you hit Enter at this point without thinking you'll end up running './foo'. It should have expanded instead to something like

    git checkout 'complete_$(./foo)'
or

    git checkout complete_\$\(./foo\)

Cute idea. I'm willing to bet that the Bash script I wrote for some of my co-workers is vulnerable. I guess that's something I should find out ... by making their computers do stuff.

However, I currently use Fish shell myself and it seems to be safe: http://imgur.com/a/rjocA

Confirmed that default bash-it Git shell prompt is vulnerable on OS X.

https://github.com/Bash-it/bash-it

This is worrisome. Even carelessly trying to checkout a branch named like that is vulnerable without a prompt being involved:

    git co -b foo <Tab> to complete branch names
    git co -b foo $(./pw3n) <- execution right here

On fish and omf here, not vulnerable. I suppose I should test fisherman on my other machine as well.

I've confirmed fisherman is safe on my machine.

Neat. My fancy Git prompt is a program I wrote in C, though. I'm sure it's vulnerable to something, but not to this. Maybe it should escape shell metacharacters in branch names, though.

Forgive me if I'm misunderstanding the vulnerability, but isn't this one of Raymond Chen's "It rather involved being on the other side of this airtight hatchway" exploits? That is, any commands you run has the same permissions as you have.

Now, I understand that you may not intimately understand 100% the code of the commands and shell extensions you use, but is that a "vulnerability"?

Cloning a repository and cd'ing into it should always be safe, no matter what that repository is. This vulnerability makes it not safe.

It wouldn't even require an explicit clone. An attacker could send you a zip file containing a malicious .git directory, and then you'd lose the moment you cd'd into the unzipped directory to check it out.

If allows an attacker to execute arbitrary code in a situation where you wouldn't expect that (such as merely CDing to an attacker-controlled directory), then yeah of course it's a vulnerability.

Yes, this is more like the "a PDF that runs arbitrary commands when you open it" class.

The privilege escalation is from "can push code to a repository that you pull from" to "can run code as you". The idea is that you trust the shell extension you're using, but a particular git repo exploits a vulnerability in that shell extension.

git cloning code vs. running code is sometimes a security boundary and sometimes not. For instance, if you go cd into that directory and then run make or ./configure or ./setup.py install or docker run or something, then yeah, you've removed that boundary. But in general, it's reasonable to keep the boundary there. Perhaps you're doing code review of code by an untrusted author, either of someone else's project or of a pull request to your own project. Perhaps you're packaging up the software to run it as a less-privileged account. Perhaps you're a sysadmin helping a user figure something out. And so forth.

Thanks for the explanation.

Dang. Unfortunately I am not vulnerable, and I use default ohmyzsh.

This is a neat bug, though. Lots of package managers have similar problems, and I would not be surprised if there's a lot of git/shell/environment problems left to find.

Why is it unfortunate that you're not vulnerable? Isn't that a good thing?

He's an applications security researcher. That stuff is fun for him.

Oh god why. Use https://github.com/sorin-ionescu/prezto

Are you not going to give a reason?

Liquid Prompt [0] seems safe.

[0] https://github.com/nojhan/liquidprompt

Nice find. Luckily I am hyper-paranoid about escaping, so even though my custom jankery is probably not as performant as it could be, it's not vulnerable to this or similar exploits.

My OSX shell prompt is vunerable, I'm using zsh, oh-my-zsh, and powerlevel9k/powerlevel9k as my theme.

Confirmed that the official git prompt for Fish is not vulnerable.

git for windows seems to be fine.

bash-git-prompt is vulnerable.

ohmyzsh is vulnerable.

ohmyzsh seems to be not vulerable, but the powerlevel9k theme is

Didn't work for me - I'm using oh-my-zsh in iTerm2, and I'm just using the git plugin & a custom theme, nothing else. Maybe we're using different plugins?

Really? As far as I can tell, the `git_current_branch` function in `lib/git.zsh` is fine.

Mine isn't, YMMV.

