git-annex private data exfiltration to compromised remote

Some uses of git-annex were vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN. Joey Hess discovered this attack.

To perform this attack, the attacker needs to have control over one of the remotes of the victim's git-annex repository. For example, they may provide a public git-annex repository that the victim clones. Or, equivalantly, the attacker could have read access to the victim's git-annex repository or a repository it pushes to, and some channel to get commits into it (e.g. pull requests).

These exploits are most likely to succeed when the victim is running the git-annex assistant, or is periodically running git annex sync --content.

To perform the attack the attacker runs git-annex addurl --relaxed file:///etc/passwd and commits this to the repository in some out of the way place. After the victim's git repository receives that change, git-annex follows the attacker-provided URL to the private data, which it stores in the git-annex repository. From there it transfers the content to the remote git-annex repository that the attacker has access to.

As well as file:/// URLs, the attacker can use URLs to private web servers. The URL can also be one that the attacker controls, that redirects to a URL that is accessible to the victim system (and not necessarily the compromised remote).

Fix

The issue was fixed by making git-annex refuse to follow file:/// urls and URLs pointing to private/local IP addresses by default. Two new configuration settings, annex.security.allowed-url-schemes and annex.security.allowed-ip-addresses, can relax this security policy, and are intended for cases where the git-annex repository is kept private and so the attack does not apply.

Impact on external special remotes

One variant of this issue can exploit a vulnerable external special remote, and could not be prevented by git-annex. (git-annex's own built-in special remotes are not vulnerable to this attack.)

In this attack variant, the attacker guesses the hash of a file stored on the victim's private web server, and adds it to the git-annex repository. The attacker also has control of the server hosting an encrypted special remote used by the victim's git-annex repository. They cause that server to redirect to the victim's web server. This allows the attacker to verify if the victim's web server contains a file that the attacker already knows the content of, assuming they can guess the URL to it.

Developers of external special remotes are encouraged to prevent this attack by not following such HTTP redirects.