Git for Windows uninstaller is vulnerable to DLL hijacking when run under the SYSTEM user account


Userlevel 7
Badge +5

Git has released a new verson to address some security vulnerabilities, As reported, we are aware that GitHub is affected. But there is a need to upgrade your local installation of Git, especifially when you are using Git on Windows or on multi-user machines. All credit goes to to 俞晨东, and the fix was authored by Johannes Schindelin.

 

CVE-2022-24765

As stated in this article, this vulnerability affects multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in C:\.git, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs git status (or git diff) and navigate to a directory that is supposedly not a Git worktree, or open such a directory in an editor or IDE such as VS Code or Atom, which will potentially run commands defined by that other user.

 

Vulnerability Impact

Since part of Git for Windows’ uninstaller is copied into the current user’s temporary directory and run in that place, it is important to ensure that there are no malicious .dll file in that directory that might be loaded as part of loading the executable.

However, the default system settings for TMP and TEMP are to point to C:\Windows\Temp, a folder that is world-writable (for historical reasons), and the SYSTEM user account inherits those settings. This means that any authenticated user can place malicious .dll files that are loaded when Git for Windows’ uninstaller is run via the SYSTEM account.

 

How to Remediate this vulnerability

The most effective way to protect against this vulnerability is to upgrade to Git v2.35.2. This version changes Git’s behavior when looking for a top-level .git directory to stop when its directory traversal changes ownership from the current user. (If you wish to make an exception to this behavior, you can use the new multi-valued safe.directory configuration).

This will ensure the previous version of Git is uninstalled and have the new version “Git for Windows 2.35.2” is installed as shown below.

Workaround

If you can’t upgrade immediately, there is a workaround to help reduce the following risk discussed above.

  • Override SYSTEM’s TMP environment variable to point to a directory exclusively under SYSTEM’s control before running the uninstaller
  • Sweeping C:\Windows\Temp of all .dll files before running the uninstaller
  • Running the uninstaller under an admin account rather than SYSTEM.

More information can be found in the following link1 and link2.


5 comments

Userlevel 7
Badge +6

Thanks for sharing.  Good to know for those that use GIT.

Userlevel 7
Badge +5

Thanks for sharing.  Good to know for those that use GIT.

You are welcome! 

Userlevel 7
Badge +4

@Iams3le  thx for info m8

Userlevel 7
Badge +3

thank you i didn't know that

Userlevel 7
Badge +5

thank you i didn't know that

You are welcome. As at last week there was a new versionGit v2.35.3

Comment