The elevated daemon that imported Git projects for you and how it went wrong

https://wh0.github.io/2021/10/10/glitch-git-import.html

In May, I discovered two root privilege escalation vulnerabilities that took advantage of this Git import service. Glitch has now fully removed this service.

This was a fun time. I finally learned about just why there are two separate chown and lchown functions. And I learned a lot about how git clone works internally and how it communicates with a “dumb HTTP” type remote server. And not the least of which, I got to play around and see what evil things an attacker with root access could do, the findings from which I’d also like to recount for you after the related issues are fixed.

5 Likes