CVE-2021-28954

Vulnerability

In Chris Walz's bit tool for Windows, versions 1.0.4 and earlier contain an uncontrolled search path element vulnerability (CWE-427) [2]. When bit executes Git commands, it searches for the git.exe binary in a sequence of directories. A malicious repository can place a crafted .exe file (e.g., named git.exe) in a location that is searched before the legitimate Git installation, causing bit to load and execute the attacker's binary instead [1][2].

Exploitation

An attacker needs to convince a victim to clone or open a specially crafted repository using bit on Windows. No additional authentication or special privileges are required beyond the ability to host or distribute the repository. When bit runs a Git command (e.g., during clone, fetch, or status operations), the malicious .exe file is executed in the context of the user [2].

Impact

Successful exploitation leads to arbitrary code execution with the privileges of the user running bit. The attacker can achieve full compromise of the affected system, including data theft, installation of malware, or lateral movement within the network [2].

Mitigation

The vulnerability is fixed in bit version 1.0.5 [1]. Users should update to this version or later. No workaround is documented, and the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.