In Git the CVE-2024-32002 is regarding a RCE (remote code execution) vulnerability that can be exploited through repositories with sub-modules. I won’t go deep in the CVE itself, as there are good sources around in how to exploit it and how it works, such like this [1].
The idea here is to step-by-step show how you could set an EXT4 file system with case-insensitive enabled.
First of all, it is important to mentioned that this feature was introduced in Linux 5.2 [2]. Hence you need to check if you system supports it. For this, just type:
$ cat /sys/fs/ext4/features/casefold
It should show: supported.
Now if your system supports it, let’s create a file system EXT4 with that feature enabled. But instead to format a whole partition to have it. Let’s use a block device using Loop device. Follow these steps:
# Create a file to be your block device
$ dd if=/dev/zero of=filename bs=1024 count=51200
# After that the filename was created with blocks of 1024 size in total of ~51M.
# Now, check which loop device is available:
$ losetup -f
# output example: /dev/loop1
#Create the the block device with the available loop device
$ losetup /dev/loop1 filename
# where filename is the block file you created using dd
Now that you have a loop device the next step is to create the file system with casefold enabled and mount it in some point.
$ mkfs -t ext4 -O casefold /dev/loop1
# create the poc directory where you'll mount it in /mnt/poc
# remember to set the permissions to you
# chown -R your_user:your_user_group poc
# e.g: chown -R corecode:corecode poc
$ mount -t ext4 /dev/loop1 /mnt/poc
# check if was mounted
$ df -h /dev/loop1
# check that device/fs supports case insensitive looking for
# Filesystem features: ... filetype needs_recovery extent 64bit flex_bg casefold <--
$ sudo tune2fs -l /dev/loop1
# Now you have a folder set with that file system mounted. To enable case insensitive in a folder you need to:
$ chattr +F directory
# If you want to check which a given directory is case-insensitive supported:
$ lsattr .
# output: ----------------F--- directory
In order to reproduce the Git CVE-2024-32002 PoC you can grab the script in here and give it a try. Pro-tip: change the execute program session to something Linux understand: e.g: cal or gnome-calculator or whatever you want.
References:
[1]https://amalmurali.me/posts/git-rce/
[2]https://www.collabora.com/news-and-blog/blog/2020/08/27/using-the-linux-kernel-case-insensitive-feature-in-ext4/
Core Code 