-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitea and Gogs Git Hooks RCE #14978
Gitea and Gogs Git Hooks RCE #14978
Conversation
# HTTP client does not handle cookies with the same name correctly. It adds | ||
# them instead of substituing the old value with the new one. | ||
unless res.get_cookies.empty? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @agalway-r7 - might be worth checking that keep_cookies
would've worked with this under #14831
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @cdelafuente-r7, these look great! I had just a few really minor suggestions.
Tested the Gitea v1.12.5 - Linux
Gitea v1.12.2 - Windows
Only tested the latest version of Gogs v0.12.3 - Linux
|
- Set RPORT default value to 3000 - Use ternary operator
Thanks for reviewing and testing this @space-r7 ! I believe I addressed all the comments in the last commit. Please, let me know if there is anything else that should be updated. |
Looks good to me! Thanks much! |
Original Release NotesThis adds two modules, |
Release NotesNew module New module |
This adds 2 exploit modules for Gitea and Gogs self-hosted Git services. I added them both to a single PR since they are very similar (Gitea is a fork of Gogs) and, if anything needs to be updated after code review, it is very likely this would have to be done for both modules identically.
Both modules leverages an insecure setting to get remote code execution on the target OS in the context of the user running the application. This is possible when the current user is allowed to create
git hooks
, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator.To achieve code execution, the module authenticates to the web interface, creates a temporary repository, sets a
post-receive
git hook with the payload and creates a dummy file in the repository. This last action will trigger thegit hook and execute the payload. Everything is done through the web interface.
It has been mitigated in Gitea version 1.13.0 by setting the
DISABLE_GIT_HOOKS
configuration setting totrue
by default. This disables this feature and prevents all users (including admin) from creating custom git hooks. However, no mitigation has been implemented in Gogs so far (latest stable version is 0.12.3).This has been tested successfully against Gitea Docker versions 1.12.5, 1.12.6 and 1.13.6 with
DISABLE_GIT_HOOKS
set tofalse
, and on Gitea version 1.12.6 on Windows.Also, this has been tested successfully against Gogs version 0.12.3 on Docker. Windows version could not be tested since the git hook feature seems to be broken.
Setup
Gitea
Follow the installation steps:
Gogs
Follow the installation steps:
Verification
Gitea
msfconsole
use multi/http/gitea_git_hooks_rce
set USERNAME <username>
set PASSWORD <password>
set rhosts <ip>
set rport <port>
set lhost <ip>
set target <target #>
run
Gogs
msfconsole
use multi/http/gogs_git_hooks_rce
set USERNAME <username>
set PASSWORD <password>
set rhosts <ip>
set rport <port>
set lhost <ip>
set target <target #>
run