CVE-2023-22743
📋 TL;DR
CVE-2023-22743 is a DLL side-loading vulnerability in Git for Windows that allows local attackers to execute arbitrary code with elevated privileges. By placing a malicious DLL in a specific subdirectory next to the installer, attackers can trick Windows into loading their payload during automated upgrades. This affects users who run Git for Windows installer from untrusted directories.
💻 Affected Systems
- Git for Windows
📦 What is this software?
Git For Windows by Git For Windows Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with SYSTEM/administrator privileges during automated Git upgrades.
Likely Case
Local privilege escalation allowing attackers to gain administrative access on systems where they have write access to installer directories.
If Mitigated
No impact if proper directory hygiene is maintained and patched versions are used.
🎯 Exploit Status
Requires local file system write access and knowledge of specific directory structure. Exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.39.2.windows.1
Vendor Advisory: https://github.com/git-for-windows/git/security/advisories/GHSA-gf48-x3vr-j5c3
Restart Required: No
Instructions:
1. Download Git for Windows 2.39.2 or later from official sources. 2. Run the installer. 3. Follow installation prompts. 4. Verify installation with 'git --version'.
🔧 Temporary Workarounds
Directory hygiene
windowsMove Git installer to clean directory before execution
Move git-installer.exe from Downloads folder to C:\Temp\ or another clean directory before running
Clean Downloads folder
windowsRemove untrusted files from Downloads folder before running installer
Remove all files from %USERPROFILE%\Downloads\ before executing Git installer
🧯 If You Can't Patch
- Always run Git installer from a clean, newly created directory with no other files
- Implement strict access controls on directories where Git installer might be executed
🔍 How to Verify
Check if Vulnerable:
Check Git version with 'git --version'. If version is below 2.39.2, system is vulnerable.Check Version:
git --versionVerify Fix Applied:
Run 'git --version' and confirm output shows 2.39.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Process creation events for git installer from suspicious directories
- DLL loading events from non-standard paths during Git installation
Network Indicators:
- None - this is a local file system attack
SIEM Query:
Process Creation where Image contains 'git' AND CurrentDirectory contains 'Downloads' OR CommandLine contains suspicious DLL paths🔗 References
- https://attack.mitre.org/techniques/T1574/002/
- https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1
- https://github.com/git-for-windows/git/security/advisories/GHSA-gf48-x3vr-j5c3
- https://github.com/git-for-windows/git/security/advisories/GHSA-p2x9-prp4-8gvq
- https://learn.microsoft.com/en-us/windows/win32/controls/cookbook-overview?redirectedfrom=MSDN#using-comctl32dll-version-6-in-an-application-that-uses-only-standard-extensions
- https://learn.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies-
- https://attack.mitre.org/techniques/T1574/002/
- https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1
- https://github.com/git-for-windows/git/security/advisories/GHSA-gf48-x3vr-j5c3
- https://github.com/git-for-windows/git/security/advisories/GHSA-p2x9-prp4-8gvq
- https://learn.microsoft.com/en-us/windows/win32/controls/cookbook-overview?redirectedfrom=MSDN#using-comctl32dll-version-6-in-an-application-that-uses-only-standard-extensions
- https://learn.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies-
