CVE-2023-29011
📋 TL;DR
This vulnerability in Git for Windows allows local authenticated users to place malicious configuration files in C:\etc\connectrc, which Git's connect.exe SOCKS5 proxy will execute. This affects multi-user Windows systems where Git for Windows is installed, potentially allowing privilege escalation or arbitrary code execution.
💻 Affected Systems
- Git for Windows
📦 What is this software?
Git For Windows by Git For Windows Project
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker gains code execution with the privileges of any user running Git commands, potentially leading to full system compromise.
Likely Case
Malicious user on shared system executes arbitrary commands when other users run Git operations using the SOCKS5 proxy.
If Mitigated
Limited to authenticated users on same system; proper access controls prevent unauthorized folder creation.
🎯 Exploit Status
Exploitation requires local authenticated access and ability to create files in C:\etc directory. The attack vector is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Git for Windows v2.40.1
Vendor Advisory: https://github.com/git-for-windows/git/security/advisories/GHSA-g4fv-xjqw-q7jm
Restart Required: No
Instructions:
1. Download Git for Windows v2.40.1 or later from https://gitforwindows.org/ 2. Run the installer 3. Choose to upgrade existing installation 4. No system restart required
🔧 Temporary Workarounds
Restrict access to etc folders
windowsCreate etc folders on all drives and remove read/write access for non-administrative users
mkdir C:\etc
icacls C:\etc /deny Users:(OI)(CI)(R,W)
mkdir D:\etc
icacls D:\etc /deny Users:(OI)(CI)(R,W)
Monitor for malicious connectrc files
windowsImplement file monitoring for connectrc files in etc directories across all drives
🧯 If You Can't Patch
- Implement strict access controls on C:\etc and similar directories on all drives
- Monitor for unauthorized file creation in etc directories and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Git version with: git --version. If version is earlier than 2.40.1, system is vulnerable.Check Version:
git --versionVerify Fix Applied:
Run git --version and confirm output shows 2.40.1 or later. Also verify C:\etc\connectrc does not exist or has proper permissions.📡 Detection & Monitoring
Log Indicators:
- File creation events in C:\etc\connectrc or similar paths on other drives
- Windows Security event logs showing unauthorized file creation
Network Indicators:
- Unusual SOCKS5 proxy connections from Git operations
SIEM Query:
EventID=4663 AND ObjectName LIKE '%\etc\connectrc' AND AccessMask=0x2