Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote command execution #5469

Closed
2 tasks
5alt opened this issue Oct 22, 2018 · 9 comments
Closed
2 tasks

Remote command execution #5469

5alt opened this issue Oct 22, 2018 · 9 comments
Labels
💊 bug Something isn't working priority: critical Oh damn, fix it now! 🔒 security Categorizes as related to security status: needs feedback Tell me more about it 🤷 third-party It's someone else's shit

Comments

@5alt
Copy link

5alt commented Oct 22, 2018

  • Gogs version (or commit ref): newest(3a4c981)
  • Can you reproduce the bug at https://try.gogs.io:
    • [ x] Yes (provide example URL)
    • No
    • Not relevant

Description

I can login to arbitrary account. And when I logged in as admin, I can execute any command by git hooks.

I just tried login to Unknown's account but do not perform command execution.

gogs_admin_en

gogs_admin4_en

As this is a very severe issue, I won't post details here.

@unknwon can you give me your email address and I send the details to you?

@shaileshsharan98
Copy link

This is a very serious issue @unknwon and this is the email u@gogs.io @5alt

@unknwon unknwon added 💊 bug Something isn't working 🔒 security Categorizes as related to security labels Oct 23, 2018
@unknwon unknwon added this to the 0.12 milestone Oct 23, 2018
@unknwon unknwon added the priority: critical Oh damn, fix it now! label Oct 23, 2018
@unknwon unknwon changed the title gogs remote command execution Remote command execution Oct 23, 2018
unknwon added a commit to go-macaron/session that referenced this issue Oct 24, 2018
unknwon added a commit that referenced this issue Oct 24, 2018
Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
unknwon added a commit to go-macaron/session that referenced this issue Oct 24, 2018
unknwon added a commit that referenced this issue Oct 24, 2018
Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
@unknwon unknwon added the status: needs feedback Tell me more about it label Oct 24, 2018
@unknwon
Copy link
Member

unknwon commented Oct 24, 2018

Patch has pushed to fix this issue, please test on develop branch or https://try.gogs.io.

@5alt
Copy link
Author

5alt commented Oct 26, 2018

hi, the patch can be bypassed using ..\ in Windows. You should check .. actually.

if strings.ContainsAny(sid, "..") {
		return nil, errors.New("invalid 'sid': " + sid)
	}

@unknwon
Copy link
Member

unknwon commented Oct 26, 2018

strings.ContainsAny checks any substring of second argument, so even "..\" should work:

https://play.golang.org/p/z2QN4ReKbfT

@5alt
Copy link
Author

5alt commented Oct 26, 2018

strings.ContainsAny checks any substring of second argument, so even ".." should work:

https://play.golang.org/p/z2QN4ReKbfT

In your patch, you checked ./, but forget to check .\

func (m *Manager) Read(sid string) (RawStore, error) {
	// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
	// See https://github.com/gogs/gogs/issues/5469
	if strings.ContainsAny(sid, "./") {
		return nil, errors.New("invalid 'sid': " + sid)
	}

	return m.provider.Read(sid)
}

If gogs runs on Windows, ..\ can be still used for directory traversal attack.

so check .. is the best solution

@unknwon
Copy link
Member

unknwon commented Oct 26, 2018

strings.ContainsAny(sid, "./") is equivalent to strings.Contains(sid, ".") || strings.Contains(sid, "/").Thus as long as the sid contains ".", it returns true.

@zeripath
Copy link

Hmm. I think you're fixing things at the wrong level here. The issue is with the file session provider in file.go not necessarily the session.go.

Each session provider should be responsible for checking whether a session id is valid for it - therefore a check where the session id is valid should be in the Exists function of each of the providers.

For example, you may want to ensure that session IDs are a certain length on a database. Similarly if you're on ntfs and fat32 a session id with the path can't be more than 256 characters long due to filesystem constraints.

If there are global session id validity rules you need to check them before calling m.provider.Exists. As it stands the Exists if called before these are checked in Read - I'm not sure there's anything horrible you can do with just checking if a file exists but I'm fairly sure you shouldn't be able to do that.

@zeripath
Copy link

zeripath commented Oct 26, 2018

Looking again at this the "Destory" (is this meant to be destroy?) and Regenerate methods basically allow arbitrary file creation and deletion through a similar fault. I'm not sure if these methods are available to end users to call arbitrarily but they almost certainly need checks placed on them too.

zeripath added a commit to zeripath/macaron-session that referenced this issue Oct 26, 2018
Another fix for gogs/gogs#5469

Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath added a commit to zeripath/macaron-session that referenced this issue Oct 31, 2018
Another fix for gogs/gogs#5469

Signed-off-by: Andrew Thornton <art27@cantab.net>
@unknwon unknwon added status: assigned to community Take it on, you're the rockstar 🤷 third-party It's someone else's shit and removed status: assigned to community Take it on, you're the rockstar labels Nov 7, 2018
unknwon pushed a commit to go-macaron/session that referenced this issue Nov 7, 2018
…ve produced (#24)

Another fix for gogs/gogs#5469

Signed-off-by: Andrew Thornton <art27@cantab.net>
unknwon added a commit that referenced this issue Nov 7, 2018
Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
@unknwon
Copy link
Member

unknwon commented Nov 7, 2018

This issue should finally be solved go-macaron/session#24. Thanks to @zeripath!

@unknwon unknwon closed this as completed Dec 1, 2018
crohr pushed a commit to pkgr/gogs that referenced this issue Jan 31, 2019
Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
crohr pushed a commit to pkgr/gogs that referenced this issue Jan 31, 2019
Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
crohr pushed a commit to pkgr/gogs that referenced this issue Jan 31, 2019
Fix security flaw reported by c957861129d62331c5704d2f04d11e41.
@unknwon unknwon modified the milestones: 0.13, 0.12 Nov 26, 2019
puckiestyle added a commit to puckiestyle/python that referenced this issue Dec 6, 2019
GogsOwnz is a simple script to gain administrator rights and RCE on a Gogs/Gitea server.
Exploit vulnerabilities in Gogs/Gitea, including CVE-2018-18925, CVE-2018-20303.

Legal Disclaimer This script is offered as is. No warranty, use on your own, please obey the law.

Typical Usage - [Please, read the full usage]
Get info about Gogs/Gitea running

python3 gogsownz.py https://127.0.0.1:3000/ -v --info
Exploit preauth PrivEsc

python3 gogsownz.py https://127.0.0.1:3000/ -v --preauth
Exploit PrivEsc

python3 gogsownz.py https://127.0.0.1:3000/ -v -C '<user>:<password>' --cleanup
or alternatively

python3 gogsownz.py https://127.0.0.1:3000/ -v -c '<i_like_gogs_cookie>' --cleanup
Exploit preauth RCE

python3 gogsownz.py https://127.0.0.1:3000/ -v --preauth --rce 'sleep 10' --cleanup
Exploit auth RCE

python3 gogsownz.py https://127.0.0.1:3000/ -v -C '<user>:<password>' --rce 'sleep 10' --cleanup
Full usage

usage: gogsownz [-h] [-C CREDS] [-n COOKIENAME] [-c COOKIE] [-i] [--rce RCE]
                [--repo REPO] [--preauth] [--windows] [--cleanup] [--tor]
                [--check-tor] [--burp] [-k] [--verbose]
                url

positional arguments:
  url                   URL for the Gogs server

optional arguments:
  -h, --help            show this help message and exit
  -C CREDS, --creds CREDS
                        Credentials for the Gogs server, in the from
                        "username:password"
  -n COOKIENAME, --cookie-name COOKIENAME
                        Name of the Gogs-specific session cookie
  -c COOKIE, --cookie COOKIE
                        Session for the Gogs server, the value in the
                        i_like_gogits Cookie
  -i, --info            Only detect informations about the running Gogs
                        server, then quit
  --rce RCE             Command to execute on the Gogs server
  --repo REPO           Use an existing repo for the PrivEsc
  --preauth             Try the pre-auth vulnerability
  --windows             Gogs server runs on Windows
  --cleanup             Remove all created repo after exploit
  --tor                 Use tor proxy when performing requests
  --check-tor           Check that Tor is correctly set up before running
  --burp                Use burp proxy when performing requests
  -k, --insecure        Allow insecure server connections when using SSL
  --verbose, -v

Thanks
Thanks to:

Tencent Security (@md5_salt, @ma7h1as and @chromium1337)
PentesterLab (@snyff)
LuckyC4t
the gogs security community :D
Further readings
gogs/gogs#5469
gogs/gogs#5558
gogs/gogs@8c8c37a
gogs/gogs#5599
https://2018.zeronights.ru/wp-content/uploads/materials/17-Who-owned-your-code.pdf

Mitigations
If you take care in setting up your systemd unit file, you'll be pleasantly surprised to see that exploitation is somewhat contained:

[Unit]
Description=Gogs
After=syslog.target
After=network.target

[Service]
Type=simple
User=gogs
Group=gogs
WorkingDirectory=/home/gogs/installations/gogs/
ExecStart=/home/gogs/installations/gogs/gogs web
Restart=always
Environment=USER=gogs HOME=/home/gogs

# Some distributions may not support these hardening directives. If you cannot start the service due
# to an unknown option, comment out the ones not supported by your version of systemd.
ProtectSystem=full
PrivateDevices=yes
PrivateTmp=yes
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target
This will at least keep filesystem access contained to an ephemeral filesystem created by systemd. It helps, but you should probably patch the privesc and not give any admin.. obviously
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
💊 bug Something isn't working priority: critical Oh damn, fix it now! 🔒 security Categorizes as related to security status: needs feedback Tell me more about it 🤷 third-party It's someone else's shit
Projects
None yet
Development

No branches or pull requests

4 participants