Share
## https://sploitus.com/exploit?id=4A382D86-DD88-5677-AC5E-8009020D86F5
# CVE-2024-52005: ANSI Escape Sequence Injection in Git

## Overview

This repository contains a Proof-of-Concept (PoC) demonstrating CVE-2024-52005, a vulnerability in Git that allows ANSI escape sequence injection through the sideband channel during Git operations.

**CVE-2024-52005** is a **High severity** (CVSS 7.5) vulnerability affecting Git versions prior to 2.48.1, 2.47.3, 2.46.5, 2.45.4, and 2.44.3.

## The Problem

This PoC was created to demonstrate that certain hardened container images incorrectly claim "not_affected" status in their VEX (Vulnerability Exploitability eXchange) documents, despite shipping vulnerable Git versions.

### Real-World Impact

The vulnerability allows attackers to:
- **Hide malicious commands** in Git output using invisible ANSI codes
- **Fake security scan results** in CI/CD pipelines
- **Social engineer users** with fake error messages and security alerts
- **Poison build logs** to make malicious code appear as passing builds
- **Manipulate terminal display** during critical operations

## Quick Start

### Simplest Test (One Command)

```bash
./test_ansi_injection.sh
```

This script will:
1. Create a Git repository with a malicious hook containing ANSI codes
2. Clone it using a vulnerable Git version
3. Show if ANSI escape sequences pass through

If you see `^[[31m` or `^[[32m` in the output, the vulnerability is confirmed.

### Using the Full Exploitation Framework

```bash
# Create malicious repository with social engineering payload
./exploit_cve_2024_52005.py create social_engineering

# Test against vulnerable container
./exploit_cve_2024_52005.py test

# View results
cat -v /tmp/cve-2024-52005-output.log
```

## Repository Contents

- **[test_ansi_injection.sh](test_ansi_injection.sh)** - Simple standalone test script
- **[exploit_cve_2024_52005.py](exploit_cve_2024_52005.py)** - Complete exploitation framework with 8 attack payloads
- **[QUICKSTART.md](QUICKSTART.md)** - Quick start guide with examples
- **[TECHNICAL_DETAILS.md](TECHNICAL_DETAILS.md)** - Complete technical analysis and exploitation guide

## Attack Scenarios

### 1. Supply Chain Attack via ArgoCD
```
Attacker creates public GitHub repo โ†’ ArgoCD clones it automatically โ†’
Git hook injects ANSI codes โ†’ Hides backdoor in deployment logs
```

### 2. CI/CD Pipeline Poisoning
```
Developer clones repo โ†’ Malicious hook runs โ†’ Injects fake "Build PASSED" โ†’
Real failures hidden โ†’ Vulnerable code deployed to production
```

### 3. Security Tool Bypass
```
Security scanner clones repo โ†’ Hook injects ANSI codes โ†’
Shows "0 vulnerabilities" โ†’ Real vulnerabilities hidden โ†’
Malicious code passes review
```

## Exploitation Techniques

The framework includes 8 pre-built attack payloads:

1. **fake_success** - Display fake success messages
2. **hide_command** - Hide malicious commands in output
3. **cursor_manipulation** - Overwrite warnings with fake success
4. **social_engineering** - Trick users into running attacker's script
5. **fake_vulnerability_scan** - Hide real vulnerabilities
6. **progress_bar** - Create fake progress indicators
7. **urgent_warning** - Create false urgency
8. **log_poisoning** - Inject fake success into CI/CD logs

## Why This Matters

Many container images claim "not_affected" for CVE-2024-52005 with the justification:
```json
{
  "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
}
```

**This is incorrect** for containers designed to clone untrusted repositories:
- ArgoCD clones third-party Git repositories
- CI/CD tools process external repositories
- Security scanners analyze untrusted code

The attacker **does** control the vulnerable code path through Git hooks and sideband messages.

## Affected Versions

Git versions affected by CVE-2024-52005:
- All versions &1' | cat -v

# Look for ANSI codes like ^[[31m in the output
```

## References

- [CVE-2024-52005 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-52005)
- [Git Security Advisory](https://github.com/git/git/security/advisories/)
- [OpenVEX Specification](https://github.com/openvex/spec)

## Responsible Disclosure

This PoC was created for:
- Security research and education
- Demonstrating incorrect vulnerability assessments
- Helping organizations properly evaluate their risk
- Encouraging accurate VEX documentation

**For authorized security testing only.** Do not use this against systems you don't own or have permission to test.

## License

MIT License - See LICENSE file for details

## Author

Created as part of container image security research, demonstrating the importance of accurate vulnerability disclosure and assessment.

## Contributing

Found an issue or have improvements? Pull requests welcome!

- Report incorrect VEX assessments you find
- Add new exploitation techniques
- Improve detection methods
- Enhance documentation