CVE-2018–18925

Exploitation of CVE-2018–18925 a Remote Code Execution against the Git self hosted tool: Gogs.

Gogs is based on the Macaron framework. The system used to manage session is very similar to what PHP does. The session identifier in the cookie is mapped to a file on the file system. When the web server receives a request with a session identifier (as a cookie), it looks up for the file on the file system.

The vulnerability is a simple directory traversal when retrieving the file used for the session on the file system. You can for example, set the i_like_gogits cookie to ../../../../../../etc/passwd to get an error from the server.

Exploitation:

In order to exploit the session bypass, we will need a way to upload a specially crafted file, then we will use this file as our session id, we can create our own crafted session id file with https://github.com/RyouYoo/CVE-2018-18925/blob/main/main.go.

Usage:

go run main.go

Uploading the malicious file and logged in as administrator

When creating the copy of the repository locally, Gogs put the files in /data/gogs/data/tmp/local-repo/[REPO_ID]/[FILENAME] (this repository is only created when you use the “Upload file” functionality).

Where [FILENAME] is the name of the file you upload and [REPO_ID] is the repository identifier that can be found using the Fork link:

Where 5 is the repo id.

By default, the sessions are stored in /data/gogs/data/sessions/. Therefore, you can use the following relative path for your session id: ../tmp/local-repo/[REPO_ID]/[FILENAME]. By using this path in your i_like_gogits cookie, you should be logged in as administrator.

Remote Code Execution:

In order to get RCE, you can use the git hooks functionality in a given repository to run a shell script.

In pre-receive inject your code:

Then make a push request, with git or with create file function to get the hook executed.