Kev kho qhov tso tawm ntawm qhov kev faib tawm tswj qhov system Git 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4 thiab 2.14.62.24.1 XNUMX, uas kho qhov tsis zoo uas tso cai rau tus neeg tawm tsam rov sau dua txoj hauv kev tsis txaus ntseeg hauv cov ntaub ntawv kaw lus, teeb tsa cov lej ua haujlwm nyob deb, lossis sau cov ntaub ntawv dhau los hauv ".git/" directory. Feem ntau cov teeb meem raug txheeb xyuas los ntawm cov neeg ua haujlwm
Microsoft Security Response Center, tsib ntawm yim qhov tsis zoo yog qhov tshwj xeeb rau Windows platform.
- - streaming hais kom ua "feature export-marks = txoj kev" sau cov ntawv sau rau cov npe tsis raug cai, uas tuaj yeem siv los sau cov kev tsis txaus ntseeg hauv cov ntaub ntawv kaw lus thaum ua haujlwm "git ceev-ntshuam" nrog cov ntaub ntawv tsis raug txheeb xyuas.
- - Kev khiav tawm tsis raug ntawm kab lus sib cav mus rau tej thaj chaw deb tua ntawm attacker code thaum recursive cloning siv ssh: // URL. Tshwj xeeb, kev khiav tawm cov lus sib cav xaus rau hauv qhov backslash (piv txwv li, "test \") tau ua tsis raug. Nyob rau hauv cov ntaub ntawv no, thaum framing ib qho kev sib cav nrog ob quotes, lub xeem quote tau dim, uas ua rau nws muaj peev xwm mus npaj cov kev hloov ntawm koj cov kev xaiv ntawm kab hais kom ua.
- - thaum recursively cloning submodules ("clone -recurse-submodules") hauv Windows ib puag ncig hauv qee yam xwm txheej ua rau kev siv tib lub npe git ob zaug (.git, git ~ 1, git ~ 2 thiab git ~ N tau lees paub tias yog ib phau ntawv qhia hauv NTFS, tab sis qhov xwm txheej no tsuas yog sim rau git ~ 1), uas tuaj yeem siv los npaj. sau rau hauv phau ntawv ". git". Txhawm rau npaj qhov kev ua tiav ntawm nws cov cai, tus neeg tawm tsam, piv txwv li, tuaj yeem hloov nws tsab ntawv los ntawm tus neeg saib xyuas tom qab xa tawm hauv cov ntaub ntawv .git/config.
- - tus neeg tuav ntaub ntawv rau cov npe tsav hauv Windows txoj hauv kev thaum txhais txoj hauv kev zoo li "C:\" tsuas yog tsim los hloov ib tsab ntawv Latin tus cim, tab sis tsis suav nrog qhov muaj peev xwm tsim cov tsav virtual uas tau muab los ntawm "subst letter: path" . Cov kev zoo li no tau raug kho tsis yog qhov tseeb, tab sis raws li cov txheeb ze txoj hauv kev, uas ua rau nws ua tau, thaum cloning lub chaw cia siab phem, los npaj cov ntaub ntawv nyob rau hauv ib qho chaw tsis raug cai sab nraum cov ntoo ua haujlwm (piv txwv li, thaum siv cov lej lossis cov cim unicode hauv disk. npe - "1:\what\the\hex.txt" or "Γ€:\tschibΓ€t.sch").
- - thaum ua haujlwm ntawm Windows platform, siv lwm cov ntaub ntawv ntws hauv NTFS, tsim los ntawm kev ntxiv ": kwj-npe: kwj-hom" tus cwj pwm rau cov ntaub ntawv npe, overwrite cov ntaub ntawv nyob rau hauv ".git/" directory thaum cloning ib tug phem repository. Piv txwv li, lub npe ".git::$INDEX_ALLOCATION" hauv NTFS tau raug kho raws li qhov txuas mus rau ".git" directory.
- - thaum siv Git hauv WSL (Windows Subsystem rau Linux) ib puag ncig thaum nkag mus rau cov npe ua haujlwm tiv thaiv lub npe manipulation hauv NTFS (kev tawm tsam los ntawm FAT lub npe txhais tau, piv txwv li, ".git" tuaj yeem nkag los ntawm "git ~ 1" directory).
- -
sau rau ".git/" directory ntawm lub Windows platform thaum cloning siab phem repositories uas muaj cov ntaub ntawv nrog ib tug backslash nyob rau hauv lub npe (piv txwv li, "a\b"), uas yog siv tau rau Unix/Linux, tab sis tau txais raws li ib feem ntawm txoj hauv kev ntawm Windows. - - Kev tshuaj xyuas tsis txaus ntawm cov npe submodule tuaj yeem siv los npaj cov phiaj xwm tawm tsam, uas, yog tias rov ua dua tshiab, tuaj yeem muaj peev xwm mus tua tus attacker code. Git tsis tiv thaiv kev tsim cov submodule directory nyob rau hauv lwm submodule phau ntawv qhia, uas feem ntau tsuas yog ua rau tsis meej pem, tab sis tsis muaj peev xwm tiv thaiv cov ntsiab lus ntawm lwm module los ntawm overwritten thaum lub sij hawm recursive cloning txheej txheem (piv txwv li, submodule directories. "hippo" thiab "hippo/hooks" yog muab tso rau hauv ".git/modules/hippo/" thiab ".git/modules/hippo/hooks/", thiab cov hooks directory hauv hippo tuaj yeem siv cais los tuav cov hooks.
Cov neeg siv Windows raug qhia kom hloov kho lawv cov version ntawm Git tam sim ntawd, thiab kom tsis txhob cloning unverified repositories kom txog thaum hloov tshiab. Yog tias nws tseem tsis tuaj yeem hloov kho Git sai sai, tom qab ntawd txhawm rau txo qhov kev pheej hmoo ntawm kev tawm tsam, nws raug nquahu kom tsis txhob khiav "git clone -recurse-submodules" thiab "git submodule hloov tshiab" nrog cov chaw khaws cia tsis tau txheeb xyuas, tsis txhob siv "git ceev-ntshuam" nrog unchecked input kwj, thiab tsis mus clone repositories rau NTFS-raws li partitions.
Rau kev ruaj ntseg ntxiv, kev tshaj tawm tshiab kuj txwv tsis pub siv kev tsim kho ntawm daim ntawv "submodule.{name}.update=!command" hauv .gitmodules. Rau kev faib tawm, koj tuaj yeem taug qab qhov tso tawm ntawm pob hloov tshiab ntawm nplooj ntawv ,, , , , , , .
Tau qhov twg los: opennet.ru