Git for Windows NTLM Hash Exposure Vulnerability

A vulnerability in Git for Windows versions prior to 2.53.0.windows.3 allows attackers to obtain a user's NTLM hash. This is achieved by tricking users into cloning a malicious repository or checking out a harmful branch that interacts with an attacker-controlled server. By default, NTLM authentication requires no user interaction, making this vulnerability particularly concerning. The issue arises because Git follows symbolic links to network drives during checkout, inadvertently disclosing NTLMv2 hashes, which can be brute-forced to extract credentials.

Impact

Exploitation of this vulnerability can lead to the unauthorized extraction of NTLMv2 hashes, which can be brute-forced to recover user credentials.

Reproduction

To reproduce this vulnerability, clone a repository or check out a branch that contains symbolic links pointing to network drives. Ensure that the links direct to an attacker-controlled server. During the checkout process, Git will follow the symlinks, triggering NTLM authentication and leaking the NTLMv2 hash to the server.

Remediation

Users can update to Git for Windows version 2.53.0.windows.3 or later, which addresses this vulnerability by preventing Git from following symbolic links to network drives during checkout.