An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
FOFA: title="Gitlab"
SHODAN: http.title:"GitLab"
PoC代码[已公开]
id: CVE-2021-22205
info:
name: GitLab CE/EE Unauthenticated RCE Using ExifTool
author: pdteam
severity: critical
description: |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
FOFA: title="Gitlab"
SHODAN: http.title:"GitLab"
solutions: Upgrade to versions 13.10.3, 13.9.6, 13.8.8, or higher.
reference:
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
- https://mp.weixin.qq.com/s/4QT-vxKpBn4ppNM9ipt-nQ
tags: oast,intrusive,hackerone,cve,cve2021,gitlab,rce,kev
set:
randbody: randomLowercase(32)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: GET
path: /users/sign_in
follow_redirects: true
expression: 'response.status == 200 && "csrf-token\" content=\"(.*?)\"".bmatches(response.body)'
output:
search: '"csrf-token\" content=\"(?P<token>.*?)\"".bsubmatch(response.body)'
token: search["token"]
search1: '"Set-Cookie: (?P<cookie>.*?);".bsubmatch(response.raw_header)'
cookie: search1["cookie"]
r1:
request:
method: POST
path: /uploads/user
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
X-CSRF-Token: "{{token}}"
Cookie: "{{cookie}}"
follow_redirects: true
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\";filename=\"test.jpg\"\r\n\
Content-Type: image/jpeg\r\n\
\r\n\
{{randbody}}\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 422 && response.body.bcontains(b'Failed to process image')
expression: r0() && r1()