https://bz.mercurial-scm.org/show_bug.cgi?id=5730
Bug ID: 5730 Summary: [CRITICAL]Arbitrary command execution in mercurial repo with a git submodule Product: Mercurial Version: stable branch Hardware: All OS: All Status: UNCONFIRMED Severity: bug Priority: wish Component: Mercurial Assignee: bugzi...@mercurial-scm.org Reporter: pni...@live.com CC: mercurial-devel@mercurial-scm.org I found that using hg to track a crafted mercurial repo with a git submodule can lead to command execution on user's OS. The root cause is that hg support to add a git submodule to a hg repo.And so that i can use hg to track .git directory and thus modify the git config file from the remote.I use ext helper protocol as a poc.I can modify the git config file to allow ext helper protocol which has been disallowed in the lastest version of git and then when victim do anything on the evil git submodule,ext protocol will be triggered and execute the os command. Here is the reproduction steps: 1.Create a hg repo; 2.Create a git repo and make a commit to it.(The commit is a must.) 3.Now let us use hg to make a crafted hg repo first. 4.Using hg to checkout the hg repo and then add that git repo as it's submodule. 5.Modify the ./hgrepo/gitsubmodule/.git/config to sth like: [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true [remote "pwn2own"] url = ext::whoami fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master [protocol] allow = always I modify two parts,change the remote url to "ext::whoami" and add a protocol section to allow ext protocol to be used. Then commit all above changes and push to the remote. When other victim using hg command to clone that crafted repo and pull,fetch,checkout,push,etc in the git submodule.Our command will be executed.As we already can control the git config file on the remote,lots of options we can use to execute command or do other things. Mercurial accidently cover the .git folder with user applied .git folder during hg cloning so that give attacker a chance to modify the config file and lead to command execution. This one i firstly reported to sourcetree but later i found the root cause was on the mercurial side,so i decided to double report it here. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel