Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
39 lines
1.3 KiB
Markdown
39 lines
1.3 KiB
Markdown
# GitLab Pre-Auth Remote Command Execution (CVE-2021-22205)
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration and deployment pipeline features.
|
|
|
|
An issue has been discovered in GitLab CE/EE affecting the versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in an unauthenticated remote command execution.
|
|
|
|
References:
|
|
|
|
- https://hackerone.com/reports/1154542
|
|
- https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
|
|
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
|
|
- https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml
|
|
|
|
## Vulnerable environment
|
|
|
|
Execute following command to start a GitLab Community Server 13.10.1:
|
|
|
|
```
|
|
docker compose up -d
|
|
```
|
|
|
|
After the server is started, browse the `http://your-ip:8080` to see the website.
|
|
|
|
## Exploit
|
|
|
|
The api endpoint `/uploads/user` is an unauthenticated interface. Attack the server through the [poc.py](poc.py):
|
|
|
|
```
|
|
python poc.py http://your-ip:8080 "touch /tmp/success"
|
|
```
|
|
|
|
|
|
|
|
`touch /tmp/success` has been executed successfully:
|
|
|
|
|