Three of the most popular version control systems (VCSs) used in managing source code projects are vulnerable to a flaw that allows an attacker to run code on a victim's platform, potentially leading to the theft of source code or the hijacking of the underlying machine.
Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an "ssh://" link.
Social engineering not necessary to exploit the flaw
Schneeweisz says that a URL in the form of "ssh://-oProxyCommand=some-command" allows an attacker to execute commands on the computer of the user performing the clone operation.
"While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a more sneaky way when it comes to Git submodules," Schneeweisz explains.
"It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger," the researcher added.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}