700+ self-hosted Git instances battered in 0-day attacks
www.theregister.com
: More than half of internet-exposed instances already compromised

By ‘Git instances’ they mean Gogs instances that allow open registration. I know most of the community moved from Gogs to Gitea, and then to Forgejo, but thought this was still worth noting.

  • bort@sopuli.xyzEnglish
    91·
    20 hours ago

    Here are the steps:

    • The attacker creates a standard Git repository.
    • They commit a single symbolic link pointing to a sensitive target.
    • Using the PutContents API, they write data to the symlink. The system follows the link and overwrites the target file outside the repository.
    • By overwriting .git/config (specifically the sshCommand), the attacker can force the system to execute arbitrary commands–

    amazing.

    • addie@feddit.ukEnglish
      21·
      17 hours ago

      Especially since any version of Git from the last view years has a passionate hatred of symlinks for this reason, which is a bit annoying if you’ve a legit usecase. They’re either very out-of-date, or have done some very foolish customisation…