Showing posts from January, 2018

Security implications of ANSI escape codes in Git sever responses

Summary The Git client does not validate messages received from a Git server, and will print anything received, including ANSI escape codes, to the terminal. The security implications of allowing ANSI escape codes to be written to the terminal depend on terminal, shell, resources and configuration options, but can vary from messing up a user's terminal configuration to execution of arbitrary commands.

This lack of client-side validation can be exploited by running a malicious Git server, or though a MITM attack.

For an overview of the types of attacks which are possible with ANSI escape codes, here are some useful links: 1, 2, 3.
Example The remainder of this article will be devoted to demonstrating this discovery in action.
Setting up git server To start the git server, I used the command:

git daemon --enable=receive-pack --verbose --base-path=/home/user/git --export-all

"--enable=receive-pack" allows anyone - unauthenticated - to push to your git server. It's a g…