[Bug 5730] New: [CRITICAL]Arbitrary command execution in mercurial repo with a git submodule

mercurial-bugs at mercurial-scm.org mercurial-bugs at mercurial-scm.org
Thu Nov 2 22:30:42 EDT 2017


            Bug ID: 5730
           Summary: [CRITICAL]Arbitrary command execution in mercurial
                    repo with a git submodule
           Product: Mercurial
           Version: stable branch
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: bug
          Priority: wish
         Component: Mercurial
          Assignee: bugzilla at mercurial-scm.org
          Reporter: pnigos at live.com
                CC: mercurial-devel at mercurial-scm.org

I found that using hg to track a crafted mercurial repo with a git submodule
can lead to command execution on user's OS.

The root cause is that hg support to add a git submodule to a hg repo.And so
that i can use hg to track .git directory and thus modify the git config file
from the remote.I use ext helper protocol as a poc.I can modify the git config
file to allow ext helper protocol which has been disallowed in the lastest
version of git and then when victim do anything on the evil git submodule,ext
protocol will be triggered and execute the os command.

Here is the reproduction steps:
1.Create a hg repo;
2.Create a git repo and make a commit to it.(The commit is a must.)
3.Now let us use hg to make a crafted hg repo first.
4.Using hg to checkout the hg repo and then add that git repo as it's
5.Modify the ./hgrepo/gitsubmodule/.git/config to sth like:

    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    ignorecase = true
    precomposeunicode = true
[remote "pwn2own"]
    url = ext::whoami
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master
    allow = always
I modify two parts,change the remote url to "ext::whoami" and add a protocol
section to allow ext protocol to be used.

Then commit all above changes and push to the remote.

When other victim using hg command to clone that crafted repo and
pull,fetch,checkout,push,etc in the git submodule.Our command will be
executed.As we already can control the git config file on the remote,lots of
options we can use to execute command or do other things.

Mercurial accidently cover the .git folder with user applied .git folder during
hg cloning so that give attacker a chance to modify the config file and lead to
command execution.

This one i firstly reported to sourcetree but later i found the root cause was
on the mercurial side,so i decided to double report it here.

You are receiving this mail because:
You are on the CC list for the bug.

More information about the Mercurial-devel mailing list