Exploitation of CVE-2018–18925 a Remote Code Execution against the Git self hosted tool: Gogs.
Gogs is based on the
Macaron framework. The system used to manage session is very similar to what PHP does. The session identifier in the cookie is mapped to a file on the file system. When the web server receives a request with a session identifier (as a cookie), it looks up for the file on the file system.
The vulnerability is a simple directory traversal when retrieving the file used for the session on the file system. You can for example, set the
i_like_gogits cookie to
../../../../../../etc/passwd to get an error from the server.
In order to exploit the session bypass, we will need a way to upload a specially crafted file, then we will use this file as our session id, we can create our own crafted session id file with https://github.com/RyouYoo/CVE-2018-18925/blob/main/main.go.
go run main.go
Uploading the malicious file and logged in as administrator
When creating the copy of the repository locally, Gogs put the files in /data/gogs/data/tmp/local-repo/[REPO_ID]/[FILENAME] (this repository is only created when you use the “Upload file” functionality).
Where [FILENAME] is the name of the file you upload and [REPO_ID] is the repository identifier that can be found using the
5 is the repo id.
By default, the sessions are stored in
/data/gogs/data/sessions/. Therefore, you can use the following relative path for your session id:
../tmp/local-repo/[REPO_ID]/[FILENAME]. By using this path in your
i_like_gogits cookie, you should be logged in as
Remote Code Execution:
In order to get RCE, you can use the git hooks functionality in a given repository to run a shell script.
pre-receive inject your code:
Then make a push request, with git or with create file function to get the hook executed.