Impact
Git for Windows ships with an executable called connect.exe
, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections.
The location of connect.exe
's config file is hard-coded as /etc/connectrc
which will typically be interpreted as C:\etc\connectrc
. Since C:\etc
can be created by any authenticated user, this makes connect.exe
susceptible to malicious files being placed there by other users on the same multi-user machine.
Patches
The problem has been patched in Git for Windows v2.40.1.
Workarounds
Create the folder etc
on all drives where Git commands are run, and remove read/write access from those folders:
mkdir \etc
icacls \etc /inheritance:r
Alternatively, be very careful to watch out for malicious <drive>:\etc\connectrc
files on multi-user machines.
References
Source code repository of the connect
proxy: https://github.com/gotoh/ssh-connect
Impact
Git for Windows ships with an executable called
connect.exe
, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections.The location of
connect.exe
's config file is hard-coded as/etc/connectrc
which will typically be interpreted asC:\etc\connectrc
. SinceC:\etc
can be created by any authenticated user, this makesconnect.exe
susceptible to malicious files being placed there by other users on the same multi-user machine.Patches
The problem has been patched in Git for Windows v2.40.1.
Workarounds
Create the folder
etc
on all drives where Git commands are run, and remove read/write access from those folders:Alternatively, be very careful to watch out for malicious
<drive>:\etc\connectrc
files on multi-user machines.References
Source code repository of the
connect
proxy: https://github.com/gotoh/ssh-connect