cbcvebase.
CVE-2017-1000117
published 2017-10-05

CVE-2017-1000117: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on…

PriorityP274high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
77.82%
99.5th percentile
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

Affected

71 ranges· showing 25
VendorProductVersion rangeFixed in
applexcode_9
atlassianbitbucket< 5.4.15.4.1
atlassianbitbucket>= 5.1.0 < 5.1.75.1.7
atlassianbitbucket>= 5.2.0 < 5.2.55.2.5
atlassianbitbucket>= 5.3.0 < 5.3.35.3.3
atlassianbitbucket_server
atlassianbitbucket_server
atlassianbitbucket_server
atlassianbitbucket_server
canonicalbazaar<= 2.7.0
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianbreezy< breezy 3.0.0~bzr6772-1 (bookworm)breezy 3.0.0~bzr6772-1 (bookworm)
debianbzr< breezy 3.0.0~bzr6772-1 (bookworm)breezy 3.0.0~bzr6772-1 (bookworm)
debianbzr0 – 2.7.0
debiandebian_linux
debiandebian_linux
debiandulwich< dulwich 0.18.5-1 (bookworm)dulwich 0.18.5-1 (bookworm)
debianfossil< fossil 1:2.4-1 (bookworm)fossil 1:2.4-1 (bookworm)
debiangit< git 1:2.14.1-1 (bookworm)git 1:2.14.1-1 (bookworm)
debiangit-annex< git-annex 6.20170818-1 (bookworm)git-annex 6.20170818-1 (bookworm)
dulwich_projectdulwich<= 0.18.4
dulwich_projectdulwich>= 0 < 0.18.5-10.18.5-1
dulwich_projectdulwich>= 0 < 0.18.5-10.18.5-1

Detection & IOCsextracted from sources · hover to see the quote

urlssh://-oProxyCommand=<payload>/
commandssh://-oProxyCommand=
otherssh://-eProxyCommand=
uagit/*
filename.gitmodules
  • Detect git clone or submodule init operations referencing ssh:// URLs where the hostname begins with a dash character (e.g., ssh://-o... or ssh://-e...), which is the core exploitation pattern for CVE-2017-1000117.
  • Inspect .gitmodules files in cloned repositories for submodule URLs beginning with 'ssh://-' — particularly patterns like ssh://-oProxyCommand= or ssh://-eProxyCommand= which abuse SSH option injection.
  • Monitor HTTP servers serving fake git repositories: look for User-Agent strings matching 'git/*' fetching paths under a *.git URI, followed by requests for /objects/ paths and /HEAD or /info/refs — indicative of the Metasploit exploit module's malicious git HTTP server.
  • Alert on git submodule initialisation (git submodule init / git submodule update) where the resolved remote URL contains an initial dash in the hostname portion of an ssh:// scheme, as this triggers arbitrary OS command execution.
  • The same ssh://-<option> hostname injection pattern applies to related tools (Bazaar bzr+ssh, git-annex); broaden detection to cover bzr+ssh:// and annex remote URLs with leading-dash hostnames.
  • ·The exploit targets Git version 2.7.5 and lower; versions above this threshold are not affected by CVE-2017-1000117 and detections should be scoped accordingly.
  • ·The Metasploit module uses a randomly generated URI path for the malicious git repository (random alpha string + '.git') and a randomly generated submodule path, so static URI-based signatures will have limited coverage; behavioural detection on .gitmodules content is more reliable.
  • ·The payload is URL-hex-encoded (Rex::Text.to_hex with '%') before being embedded in the ssh:// URL, so plain-text command string matching in .gitmodules will miss encoded payloads; decode percent-encoded hostnames before matching.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.