CVE-2024-40644 in gitoxide
Summary
by MITRE • 07/18/2024
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories. Existing functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. This causes facilities in `gix_path::env` to directly execute `git.exe` in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it. Although unusual setups where the system drive is not `C:`, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no `C:\Program Files (x86)` directory. A limited user on a 32-bit Windows system can therefore create the `C:\Program Files (x86)` directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses `gix-path` and do not have `git` in a `PATH` directory. (While having `git` found in a `PATH` search prevents exploitation, merely having it installed in the default location under the real `C:\Program Files` directory does not. This is because the first hard-coded path's `mingw64` component assumes a 64-bit installation.). Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses `gix-path` and must not have `git` in its `PATH`. The main exploitable configuration is one where Git for Windows has been installed but not added to `PATH`. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its `PATH` to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a `PATH` in which the real `git.exe` can be found, then this cannot be exploited. This issue has been addressed in release version 0.10.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/17/2025
The vulnerability described in CVE-2024-40644 affects the gitoxide library's gix-path component, specifically its handling of Git executable discovery on Windows systems. This represents a privilege escalation vector through path manipulation that exploits the interaction between environment variable handling and hardcoded directory paths. The flaw exists in version 0.10.8 of the gix-path module and stems from the library's fallback mechanism that checks hard-coded Windows Program Files directories. When a Git executable is not found via standard PATH searching, the code attempts to locate git.exe in predetermined locations including both 64-bit and 32-bit Program Files directories, creating an attack surface that can be exploited by unprivileged users.
The technical implementation of this vulnerability leverages Windows' directory creation permissions for limited user accounts, which allow them to create new directories at the root of the system drive. This is particularly problematic on 32-bit Windows systems where the absence of a dedicated Program Files (x86) directory creates a unique exploitation opportunity. A limited user can create the directory structure that the library expects and place malicious executables in those locations, effectively bypassing normal security controls that would otherwise prevent execution of arbitrary code. The vulnerability manifests when applications using gix-path attempt to discover Git executables and execute them without proper validation of the discovered paths, creating a path traversal-like condition in the context of executable discovery.
The operational impact of this vulnerability extends beyond simple code execution to encompass privilege escalation and potential system compromise. While exploitation requires a user account on the target system, the attack vector is particularly concerning because it can be leveraged by attackers with relatively low privileges to execute code as other users, including administrators. The vulnerability is most prevalent in environments where Git for Windows has been installed without adding it to the PATH variable, which is an installer option that isn't selected by default. This creates a scenario where legitimate applications using gix-path will attempt to locate Git executables through the fallback mechanism, inadvertently executing malicious payloads placed by attackers in the hardcoded locations. The vulnerability also demonstrates a failure in the principle of least privilege during executable discovery, where the library assumes that hardcoded paths are trustworthy without validation.
The attack scenario requires specific conditions to be met, making it somewhat less likely than other vulnerabilities but still significant given the potential for privilege escalation. The exploit is most effective on 32-bit Windows systems due to the directory structure differences, and the attacker must have a user account on the target system. Even if an attacker has a relatively unprivileged account, they can potentially escalate privileges by ensuring that target user accounts run applications that use gix-path and have not configured their PATH to include the legitimate Git installation. The vulnerability highlights issues with the ATT&CK technique T1068, which involves exploiting local privilege escalation opportunities, and aligns with CWE-78, which covers improper neutralization of special elements used in OS commands. The fix in version 0.10.9 addresses this by removing the hardcoded path fallback mechanism and implementing proper validation of discovered Git executables, ensuring that only trusted paths are used for execution.
Security implications of this vulnerability extend to organizations that deploy applications using gitoxide in environments where users might have limited access or where PATH sanitization is insufficient. The issue demonstrates the importance of proper input validation and executable discovery in security-sensitive code, particularly when dealing with system-level operations that can affect privilege boundaries. Organizations should immediately upgrade to version 0.10.9 or later to mitigate this risk, as no workarounds exist for this particular vulnerability. The vulnerability also underscores the need for defensive programming practices that avoid relying on hardcoded system paths for critical operations, particularly in libraries that may be used across different system configurations and privilege levels. This represents a failure in secure coding practices that can be addressed through better validation of system paths and more robust error handling in executable discovery mechanisms.