关联漏洞
标题:
GitLab 路径遍历漏洞
(CVE-2020-10977)
描述:GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git(版本控制系统)项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。 GitLab(企业版和社区版)12.9之前版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
描述
GitLab Arbitrary File Read Exploit
介绍
# GitLab CVE2020-10977
## Introduction
This script provides remote code execution against GitLab Community Edition (CE) and Enterprise Edition (EE). The CVE is an arbitrary file read which allows you to extract the Rails `secret_key_base` by downloading the GitLab `secrets.yaml` file. Which in turn, enables you to gain code execution by signing your own `experimentation_subject_id` cookie that GitLab uses internally for A/B testing. The payload embedded in the cookie contains a deserialization vulnerability that allows running code on the GitLab instance.
> The arbitrary file read exists in GitLab EE/CE 8.5 and later. This got fixed in 12.9.1, 12.8.8 and 12.7.8. However, the RCE only affects version 12.4.0 and above when the vulnerable experimentation_subject_id cookie got introduced.
_Tested on 12.8.1_
## Usage
The module was tested with python 3.9 and requires the following dependencies:
- requests
- beautifulsoup4
If you have `pipenv` installed you can quickly get started by running `pipenv install` and `pipenv shell` to get a shell in the pipenv virtual environment.
```sh
$ ./cve_2020_10977.py --help
usage: cve_2020_10977.py [-h] --url URL -u USERNAME -p PASSWORD [--cmd CMD]
optional arguments:
-h, --help show this help message and exit
--url URL Target URL
-u USERNAME, --username USERNAME
Gitlab username
-p PASSWORD, --password PASSWORD
Gitlab password
--cmd CMD Command to execute
```
## Development
A `Makefile` is included to ease local development or testing out the exploit. It depends on `docker` and `docker-compose` to quickly spin up a local version of GitLab that is vulnerable to this CVE.
```sh
make up
```
Will spin up a local instance of GitLab and a debian instance to make it easier to test out a reverse shell. The GitLab instance will be available from your localhost on port `5580`. Having this extra image gives you an IP that is reachable from within the docker network. It's possible to make your localhost reachable from the docker container, but not worth the effort IMO, and I definitely don't want to advertise using `--privileged`
Connecting to the RHOST debian instance can easily be done with:
```sh
make shell
```
This allows you to prepare you reverse shell with `nc -lnvp 9000`.
When this is done, you are ready to test out the exploit. You can run:
```sh
make exploit
```
To run the exploit, this will not do the RCE, but instead will print out the GitLab rails secret.
```sh
make exploit-rce
```
Will chain this CVE with the RCE payload mentioned above to get a reverse shell.
Happy hacking!
## References
- https://hackerone.com/reports/827052
- https://nvd.nist.gov/vuln/detail/CVE-2020-10977
- https://www.exploit-db.com/exploits/48431
文件快照
[4.0K] /data/pocs/57504dfdd8bd30adc0ed70224fb38c31b69211be
├── [ 11K] cve_2020_10977.py
├── [ 374] docker-compose.yaml
├── [1.0K] LICENSE
├── [ 684] Makefile
├── [ 221] Pipfile
├── [8.6K] Pipfile.lock
├── [2.8K] README.md
└── [4.0K] utils
├── [1.3K] decode-cookie.py
└── [ 414] rails_gen_cookie.rb
1 directory, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。