CVE-2023-23618: Git for Windows RCE Vulnerability

CVE-2023-23618 Overview

Git for Windows is the Windows port of the popular revision control system Git. Prior to Git for Windows version 2.39.2, when gitk is run on Windows, it potentially runs executables from the current directory inadvertently. This Untrusted Search Path vulnerability (CWE-426) can be exploited with social engineering to trick users into running untrusted code when using gitk or Git GUI's "Visualize History" functionality in clones of untrusted repositories.

Critical Impact
Attackers can achieve local code execution by placing malicious executables in a cloned repository, which are then inadvertently executed when victims use gitk or Git GUI's visualization features, potentially leading to full system compromise.

Affected Products

Git for Windows versions prior to 2.39.2
gitk graphical history viewer component
Git GUI's "Visualize History" functionality

Discovery Timeline

2023-02-14 - CVE-2023-23618 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-23618

Vulnerability Analysis

This vulnerability falls under CWE-426 (Untrusted Search Path), a class of vulnerabilities where an application searches for resources in a path that can be controlled by untrusted parties. In the case of Git for Windows, the gitk tool—a Tcl/Tk-based graphical history viewer—inadvertently includes the current working directory in its executable search path when running on Windows systems.

When a user clones a malicious repository and subsequently runs gitk from within that repository directory, the application may execute attacker-controlled binaries placed in the repository instead of legitimate system utilities. This behavior requires user interaction, making social engineering a key component of exploitation. The attack succeeds because Windows includes the current directory in the default search path for executables, and gitk does not implement sufficient path validation.

Root Cause

The root cause lies in how Tcl's exec command handles executable resolution on Windows platforms. Unlike Unix-like systems, Windows includes the current working directory (.) in the default executable search path. When gitk invokes external commands using Tcl's exec function, malicious executables placed in the current directory can be executed instead of legitimate system binaries. The vulnerability stems from insufficient platform-specific path handling in the gitk Tcl script.

Attack Vector

The attack requires local access and user interaction. An attacker creates a malicious Git repository containing specially crafted executable files with names matching common utilities or commands invoked by gitk. The attack chain proceeds as follows:

Attacker creates a repository with malicious executables in the root directory
Victim clones the untrusted repository
Victim navigates into the cloned repository directory
Victim runs gitk or uses Git GUI's "Visualize History" feature
Malicious executable is executed instead of the intended system binary

The following patch adds platform detection functions to enable platform-specific code paths that address this vulnerability:

text

 
 package require Tk
 
+######################################################################
+##
+## Enabling platform-specific code paths
+
+proc is_MacOSX {} {
+	if {[tk windowingsystem] eq {aqua}} {
+		return 1
+	}
+	return 0
+}
+
+proc is_Windows {} {
+	if {$::tcl_platform(platform) eq {windows}} {
+		return 1
+	}
+	return 0
+}
+
+set _iscygwin {}
+proc is_Cygwin {} {
+	global _iscygwin
+	if {$_iscygwin eq {}} {
+		if {[string match "CYGWIN_*" $::tcl_platform(os)]} {
+			set _iscygwin 1
+		} else {
+			set _iscygwin 0
+		}

Source: GitHub Security Patch Commit

Detection Methods for CVE-2023-23618

Indicators of Compromise

Presence of unexpected executable files (.exe, .cmd, .bat, .com) in cloned Git repository directories
Process execution events showing executables running from within Git repository paths
Unusual child processes spawned by gitk or Git GUI applications
File system alerts for executable creation in repository working directories

Detection Strategies

Monitor process creation events for executables launched from Git repository directories, particularly as child processes of wish.exe or gitk
Implement file integrity monitoring to detect new executable files appearing in cloned repositories
Deploy endpoint detection rules to identify suspicious executable paths containing .git parent directories
Correlate Git clone operations with subsequent executable creation in the same directory tree

Monitoring Recommendations

Enable process auditing to capture full command lines and parent-child process relationships for Git-related applications
Configure security tools to alert on executable files created in directories containing .git subdirectories
Implement application allowlisting to restrict execution from user-writable directories
Review and baseline normal gitk and Git GUI process behavior to identify anomalous child process spawning

How to Mitigate CVE-2023-23618

Immediate Actions Required

Upgrade Git for Windows to version 2.39.2 or later immediately
Audit systems for Git for Windows installations and identify vulnerable versions
Warn developers and users about the risks of running gitk in untrusted repository directories
Review recently cloned repositories for suspicious executable files

Patch Information

A security patch is available in Git for Windows version 2.39.2. The patch introduces platform detection functions (is_Windows, is_MacOSX, is_Cygwin) that enable platform-specific code paths to properly handle executable search paths on Windows systems.

Patch details:

Fixed Version:2.39.2
Commit:49a8ec9dac3cec6602f05fed1b3f80a549c8c05c
Release:Git for Windows v2.39.2
Security Advisory:GHSA-wxwv-49qw-35pm

Workarounds

Avoid using gitk or Git GUI's "Visualize History" functionality in clones of untrusted repositories
Use command-line git log with formatting options as an alternative to graphical history viewers
Inspect repository contents before running any Git visualization tools
Consider changing to a different working directory before running gitk to view repository history

bash

# Safe alternative: Use git log instead of gitk
git log --oneline --graph --all

# Or specify absolute paths when running gitk
cd /path/to/safe/directory
gitk /path/to/repository

# Check for suspicious executables in a repository before using gitk
dir /b *.exe *.cmd *.bat *.com 2>nul || echo "No executables found"

CVE-2023-23618 Overview

Critical Impact
Attackers can achieve local code execution by placing malicious executables in a cloned repository, which are then inadvertently executed when victims use gitk or Git GUI's visualization features, potentially leading to full system compromise.

Affected Products

Git for Windows versions prior to 2.39.2
gitk graphical history viewer component
Git GUI's "Visualize History" functionality

Discovery Timeline

2023-02-14 - CVE-2023-23618 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-23618

Vulnerability Analysis

Root Cause

Attack Vector

Attacker creates a repository with malicious executables in the root directory
Victim clones the untrusted repository
Victim navigates into the cloned repository directory
Victim runs gitk or uses Git GUI's "Visualize History" feature
Malicious executable is executed instead of the intended system binary

The following patch adds platform detection functions to enable platform-specific code paths that address this vulnerability:

text

 
 package require Tk
 
+######################################################################
+##
+## Enabling platform-specific code paths
+
+proc is_MacOSX {} {
+	if {[tk windowingsystem] eq {aqua}} {
+		return 1
+	}
+	return 0
+}
+
+proc is_Windows {} {
+	if {$::tcl_platform(platform) eq {windows}} {
+		return 1
+	}
+	return 0
+}
+
+set _iscygwin {}
+proc is_Cygwin {} {
+	global _iscygwin
+	if {$_iscygwin eq {}} {
+		if {[string match "CYGWIN_*" $::tcl_platform(os)]} {
+			set _iscygwin 1
+		} else {
+			set _iscygwin 0
+		}

Source: GitHub Security Patch Commit

Detection Methods for CVE-2023-23618

Indicators of Compromise

Presence of unexpected executable files (.exe, .cmd, .bat, .com) in cloned Git repository directories
Process execution events showing executables running from within Git repository paths
Unusual child processes spawned by gitk or Git GUI applications
File system alerts for executable creation in repository working directories

Detection Strategies

Monitor process creation events for executables launched from Git repository directories, particularly as child processes of wish.exe or gitk
Implement file integrity monitoring to detect new executable files appearing in cloned repositories
Deploy endpoint detection rules to identify suspicious executable paths containing .git parent directories
Correlate Git clone operations with subsequent executable creation in the same directory tree

Monitoring Recommendations

Enable process auditing to capture full command lines and parent-child process relationships for Git-related applications
Configure security tools to alert on executable files created in directories containing .git subdirectories
Implement application allowlisting to restrict execution from user-writable directories
Review and baseline normal gitk and Git GUI process behavior to identify anomalous child process spawning

How to Mitigate CVE-2023-23618

Immediate Actions Required

Upgrade Git for Windows to version 2.39.2 or later immediately
Audit systems for Git for Windows installations and identify vulnerable versions
Warn developers and users about the risks of running gitk in untrusted repository directories
Review recently cloned repositories for suspicious executable files

Patch Information

Patch details:

Fixed Version:2.39.2
Commit:49a8ec9dac3cec6602f05fed1b3f80a549c8c05c
Release:Git for Windows v2.39.2
Security Advisory:GHSA-wxwv-49qw-35pm

Workarounds

Avoid using gitk or Git GUI's "Visualize History" functionality in clones of untrusted repositories
Use command-line git log with formatting options as an alternative to graphical history viewers
Inspect repository contents before running any Git visualization tools
Consider changing to a different working directory before running gitk to view repository history

bash

# Safe alternative: Use git log instead of gitk
git log --oneline --graph --all

# Or specify absolute paths when running gitk
cd /path/to/safe/directory
gitk /path/to/repository

# Check for suspicious executables in a repository before using gitk
dir /b *.exe *.cmd *.bat *.com 2>nul || echo "No executables found"

CVE-2023-23618: Git for Windows RCE Vulnerability

CVE-2023-23618 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-23618

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-23618

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-23618

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-23618: Git for Windows RCE Vulnerability

CVE-2023-23618 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-23618

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-23618

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-23618

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform