Showing posts from January, 2018

Security implications of ANSI escape codes in Git sever responses

Summary The Git client does not validate messages received from a Git server, and will print anything received, including ANSI escape codes , to the terminal. The security implications of allowing ANSI escape codes to be written to the terminal depend on terminal, shell, resources and configuration options, but can vary from messing up a user's terminal configuration to execution of arbitrary commands. This lack of client-side validation can be exploited by running a malicious Git server, or though a MITM attack. For an overview of the types of attacks which are possible with ANSI escape codes, here are some useful links: 1 , 2 , 3 . Example The remainder of this article will be devoted to demonstrating this discovery in action. Setting up git server To start the git server, I used the command: git daemon --enable=receive-pack --verbose --base-path=/home/user/git --export-all "--enable=receive-pack" allows anyone - unauthenticated - to push to your git