Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of arbitrary file reading vulnerabilities in Gitlab, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

Gitlab arbitrary File read vulnerability (CVE-2016-9086)

Port: 80

GitLab is an open source application developed using Ruby on Rails to implement a self-hosted Git project repository that can access public or private projects through the Web interface. Recently, researchers have found that there are file read vulnerabilities (CVE-2016-9086) and arbitrary user authentication_token disclosure vulnerabilities in several versions, which can be used by attackers to gain administrator privileges and then control all gitlab projects.

Affect the version:

Arbitrary file read vulnerabilities (CVE-2016-9086): GitLab CE/EEversions 8.9,8.10,8.11,8.12, and 8.13

Arbitrary user authentication_token disclosure vulnerability: Gitlab CE/EE versions 8.10.3-8.10.5

Loophole analysis

On the basis of previous studies, this paper only analyzes arbitrary read vulnerabilities.

Starting with version 8.9.0, GitLab has added the ability to import and export projects. An empty gitlab project is exported with the following structure:

The version of the export module of VERSION # GitLab, project.json # contains the configuration file for the project

When we import the export file of GitLab, GitLab will follow these steps:

The server detects the version of the exported file based on the contents of the VERSION file and imports it if the version matches.

The server creates a new project based on the Project.json file and copies the corresponding project file to the corresponding location on the server.

The code to detect the VERSION file is located in: / lib/gitlab/import_export/version_checker.rb:

... def check! Version = File.open (version_file, &: readline) verify_version! (version) rescue = > e shared.error (e) falseend...def verify_version! (version) if Gem::Version.new (version)! = Gem::Version.new (Gitlab::ImportExport.version) raise Gitlab::ImportExport::Error.new ("Import version mismatch: Required # {Gitlab::ImportExport.version} but was # {version}") else true endend...

We can see that the logic here is to read the first line of the VERSION file to assign a value to the variable version, and then check whether verison is the same as the current version, the same returns true, and the difference returns an error message (the error message includes the value of the variable version). So the vulnerability discoverer Jobert Abma cleverly uses soft links to achieve the purpose of reading arbitrary files. First, we add soft links to the VERSION file and repackage it.

Ln-sf / etc/passwd VERSIONtar zcf change_version.tar.gz. /

In this way, when reading the VERSION file, the server reads the first line of / etc/passwd according to the soft link and assigns a value to version. But because version is different from the current version, the value of version is output, which is the content of the first line of / etc/passwd.

However, if you only read the first line of any file, there is still too little you can do. The loophole discoverer was obviously not satisfied with the result, so he went on looking. The code to read the configuration file Project.json is located in: / lib/gitlab/import_export/project_tree_restorer.rb:

Def restore json = IO.read (@ path) tree_hash = ActiveSupport::JSON.decode (json) project_members = tree_hash.delete ('project_members') ActiveRecord::Base.no_touching do create_relations endrescue = > e shared.error (e) falseend...

Here, we can use the soft link again to make the variable json get the contents of any file, but because the obtained file is not in json format and cannot be decode, an exception is thrown, and finally the contents of any file are displayed at the front end. Add soft links and package:

Ln-sf / etc/passwd project.jsontar zcf change_version.tar.gz. / Test environment

The following test environment uses the docker image of vulhub to attach the link of Master P: https://github.com/vulhub/vulhub

Compilation and running environment:

Docker-compose up-d

Please use VPS or virtual machine with 2G or more memory to run this environment, the machine with measured 1G memory cannot run Gitlab properly (502error after running).

Loophole recurrence

After the environment is running, the Web port is 10080 and the ssh port is 10022. Access http://your-ip:10080, set the administrator (username root) password, and log in.

To create a new project, click GitLab export:

Upload the test.tar.gz and you will read the contents of the / etc/passwd file:

Vulnerability repair

Officials first remove the soft links in the import package, and second, read the contents of VERSION and project.json and output the content to the log instead of returning it to the front end.

Thank you for reading this article carefully. I hope the article "sample Analysis of arbitrary File Reading vulnerabilities in Gitlab" shared by the editor will be helpful to you. At the same time, I also hope that you will support and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.