Grey Wizard
Grey Wizard

Git hacking

Git - a version control system. It has plenty of functions which can be used for unethical purposes as well.

History edition

History edition is a very useful function in terms of cybersecurity. Let us imagine the following situation – the Internet website was extended by one person; a repository was kept in a git. Although it is regarded as a negative practice, passwords were kept in the repository. The design was expanded; another person joined to help. In such a situation, keeping passwords in a repository (e.g. for Amazon services) seems to be extremely irresponsible. Of course, passwords may be deleted and a new repository may be created without them but it deletes the history of changes. In such a case we can make use of a git. The script below will delete 'passwords.txt` file from the history:

# a file which we want to delete from the history
UNSAFE_FILE=passwords.txt
# commita identifier from which we edit the history, in this case this will be the first commit
FIRST_COMMIT=$(git rev-list HEAD | tail -n 1)
# local clearing of the history

git filter-branch -- index-filter 'git rm -- cached -- ignore-unmatch ${UNSAFE_FILE}'
${FIRST_COMMIT}..HEAD
git push -- force

Apart from deleting sensitive data from a repository, it is also possible to delete key files. It is worth blocking a possibility of executing a command git push with a flag --force.

Publishing changes on behalf of a colleague

Another interesting function of a git is the possibility of publishing changes as any person. It is easy to imagine a prospective joke with a project which the entire team works on. How to make such an attack? Firstly, we have to obtain our colleague's e-mail address and name. With access to the victim's computer, we obtain such data by means of commands:

  • git config user.name
  • git config user.email

But in this case we have no access to the victim's computer – only access to a repository. All these data are contained in the repository so it is enough to know an appropriate command:

git log

Using a switch -- author it is possible to narrow the list of displayed results, for example:

git log -- author="jane"

The execution of git log command will result in the displaying of a list of commits in the following form:

commit e5f70869bbb5914cf8836829d30ac8187bcb774b
Author: jdoe <jane.doe@company.com>
Date: Fri Mar 10 10:13:56 2017 +0100

  Update README.txt

Now, we have all data necessary for performing an attack. Let us analyse the script below:

TMP_GIT_NAME=jane
TMP_GIT_EMAIL=jane.doe@greywizard.com

OLD_GIT_NAME=$(git config user.name)
OLD_GIT_EMAIL=$(git config user.email)

git config user.name ${TMP_GIT_NAME}
git config user.email ${TMP_GIT_EMAIL}
git add .
git commit -m "My important changes"
git push
git config user.name ${OLD_GIT_NAME}
git config user.email ${OLD_GIT_EMAIL}

Two first lines are the definition of variables which correspond to the settings of personal information of the attack's victim. Two subsequent lines are loading current git settings, then we have settings substitution with the victim's data, publishing changes and finally restoring initial data. An attack is extremely simple and does not require any particular knowledge; it does not require any specialist tools.

Attack possibility

An attacker which had access to a repository may, in the above manner, introduce its own backdoor to the code without arousing suspiciousness of the team working on the project, in effect taking over access to the production machine.

Signing commits with a GPG key

In order to secure against such an attack, it is necessary to sign commits with a GPG key. A commit signed with an incorrect key will be marked appropriately, e.g. on Github.

Changing the author of the existing commits.

Git allows not only for publishing changes on behalf of a colleague but it also allows for becoming the author of colleague's changes which were previously published. We prepare a script ~/change-author.sh and we paste the following code:

#!/bin/sh
git filter-branch -- env-filter '
OLD_GIT_EMAIL="john.doe@company.com"
NEW_GIT_NAME="Jane Doe"
NEW_GIT_NAME="jane.doe@company.com"
if [ "$GIT_COMMITTER_EMAIL" = "$OLD_GIT_EMAIL" ]
then
export GIT_COMMITTER_NAME="$NEW_GIT_NAME"
export GIT_COMMITTER_EMAIL="$NEW_GIT_NAME"
fi
if [ "$GIT_AUTHOR_EMAIL" = "$OLD_GIT_EMAIL" ]
then
export GIT_AUTHOR_NAME="$NEW_GIT_NAME"
export GIT_AUTHOR_EMAIL="$NEW_GIT_NAME"
fi
' -- tag-name- filter cat -- -- branches -- tags
The substitution of an author will now consist in the execution of the following commands:
git clone -- bare https://github.com/user/repo.git
cd repo.git
~/change-author.sh
git push -- force -- tags origin 'refs/heads/*'

In order to protect against an attack we should use protected branches on Github.

Andrzej Prałat
Grey Wizard
×

For media

Provide us with contact details.

Thank you