CVE-2018–18925
--
Exploitation of CVE-2018–18925 a Remote Code Execution against the Git self hosted tool: Gogs.
Gogs is based on the Macaron
framework. The system used to manage session is very similar to what PHP does. The session identifier in the cookie is mapped to a file on the file system. When the web server receives a request with a session identifier (as a cookie), it looks up for the file on the file system.
The vulnerability is a simple directory traversal when retrieving the file used for the session on the file system. You can for example, set the i_like_gogits
cookie to ../../../../../../etc/passwd
to get an error from the server.
Exploitation:
In order to exploit the session bypass, we will need a way to upload a specially crafted file, then we will use this file as our session id, we can create our own crafted session id file with https://github.com/RyouYoo/CVE-2018-18925/blob/main/main.go.
Usage:
go run main.go
Uploading the malicious file and logged in as administrator
When creating the copy of the repository locally, Gogs put the files in /data/gogs/data/tmp/local-repo/[REPO_ID]/[FILENAME] (this repository is only created when you use the “Upload file” functionality).
Where [FILENAME] is the name of the file you upload and [REPO_ID] is the repository identifier that can be found using the Fork
link:
Where 5
is the repo id.
By default, the sessions are stored in /data/gogs/data/sessions/
. Therefore, you can use the following relative path for your session id: ../tmp/local-repo/[REPO_ID]/[FILENAME]
. By using this path in your i_like_gogits
cookie, you should be logged in as administrator
.
Remote Code Execution:
In order to get RCE, you can use the git hooks functionality in a given repository to run a shell script.
In pre-receive
inject your code:
Then make a push request, with git or with create file function to get the hook executed.