GitLab 11.4.7 Remote Code Execution - Real World CTF 2018
Key Takeaways
The video demonstrates a remote code execution vulnerability in GitLab 11.4.7 by exploiting two CVEs: CVE-2018-19571 (SSRF) and CVE-2018-19585 (CRLF), using tools like Docker, Burp, and Netcat.
Full Transcript
during the real-world CTF we had to decide which challenge is to try and which not to flag Gleb was listed as a web challenge and had the following description you might need a zero-day you get a link to a hosted web site as well as a download link it turns out that there was a gitlab hosted and from the download which contains a docker compose file it tells us that it's get lab version 11.4 dot 7 so we quickly searched for how old that version is and we found this blog from the 21st of November about this release remember that we were playing on 1st of December so we thought oh crap that seems like the latest up-to-date version we won't ever find a zero-day in this huge codebase let's not waste our time turns out we kind of effed up during a post CTF dinner with other teams some people from RPI SEC told me that it was not the latest release there was our 11 dot 4 dot 8 and the commit history of that newer version reveals several security patches and one of them the SS RF in webhooks was even by neon gava of Jaden Tech which is the company that organizes the CTF knowing all that it was actually a super simple challenge and I'm so mad that I gave up on this challenge so quickly because five more minutes of research would have been enough to lead me down to a path of solving this anyway after the CTF I sat down and I tried to use this knowledge now to solve the challenge okay so first we have to set everything up I noticed that in the docker compose file some absolute paths are used so I changed them to relative paths these folders will be mounted onto this path inside of the docker container we can also see here that a flag file is required that is loaded into the root of the file system as well as some other password file then we can simply type docker compose up to pull the docker images which during the CTF would have taken ages because of Chinese internet once it's all downloaded the docker container is starting up and get lab starts to do its setup magic which takes more time but looks like it's done now then I start Chrome with some parameters to set a HTTP proxy from the docker compose file you can also learn that the HTTP port ad is mapped to port 50 80 so let's try to open that page in Chrome but I haven't started to proxy yet so let me start burb and here we go by the way I wasn't able to intercept requests to one two 7.00 one at first and I'm not sure exactly why I checked the excluded ranges but that wasn't it however I found out by specifying a fake domain and etc' hosts for localhost so localhost come Chrome will do the request over the proxy and we can see here the requests in the history okay now that we are set up we have to find the bug to exploit like I said in the beginning we thought it was an up-to-date version but in fact there was a newer version 11.4 dot 8 with several security issues fixed and one even reference Titan Tech who organized the CTF we also know that the flag is in the root of the filesystem so we need a file disclosure of vulnerability or remote code execution so let's have a look at the patches to do that we can simply go to the official gate lab repository and search for the tag with the 11.4 that it version next we can look at the commit history to look for the security patches and we can immediately find these merge commits of security patches SS RF issue with ipv6 in web hooks XSS which is rather uninteresting and a crlf issue carriage return line feed so a new line now we can have a quick look at them here's the SSR F issue with ipv6 fix SSR F in project integrations the cool thing about well-documented and structured software projects is that developers write tests so we can just scroll down to the test that will make sure no regressions of this bug reappears these tests basically tell us how it was possible to exploit this issue so apparently ipv6 URLs like zero zero zero zero zero ffff one two 7.00 one bypasses the block your L check this is a special ipv6 address to embed an ipv4 address cool the other issue was fixed crlf vulnerability and project hooks and also scrolling down some tests we see it was simply about URLs with new lines either URL encoded as percentage a or simply regular new lines so now the question is do these issues make sense and help us in any way to exploit gitlab yes this can be turned into a remote code execution it's actually a very typical security issue it's a SS RF a server site request forgery which you can use to target the local internal Redis database which is used extensively in very typically for different types of workers and so you can push a malicious worker package and that leads to an arbitrary code execution and gate lab was exploited like this several times before it's a known CTF challenge and there are many bug bounty write-ups about this topic it's difficult for me to remember where I saw this technique the first time but I believe it was a Gary Nicolas Gregoire in like 2014 or 2015 but I definitely also read several back party write-ups over the years about it so every web pentester and web bug bounty hunter should actually know this but let's first check if we can trigger a SS RF somewhere at first I thought about targeting web hooks which can be used to specify a URL that gitlab will send a request to when things happen on the repository but specify a local host URL instead but when I clicked on create new project and noticed the import project option and here are multiple ways to import a repository one being from a git repository URL and here are a few examples we can use a HTTP HTTP orchid URL to enter a repository and so for example we could try to enter localhost here instead so one two seven zero zero one and try to import from there but we get an error that import URL is blocked request to localhost are not allowed but we can try the ipv6 bypass which we have found in the patch I already went ahead into burb and put the request to import this URL into the repeater and replace the URL with the ipv6 version I also added port one two three four here for reason you see in a second to test this as SRF we need to get into the get LabCorp container so talk up he has to fight the running container and then we can do docker exec with - I T to keep acid in and create a Zulu or TTY terminal specify the container ID and execute bin bears to get a shell this process is now running inside of the container so we have a shell here net cat is not installed so we first have to app to update in an apt install net kit once this is done we can simply netcat and listen on port one two three four next we go into burg repeater we have to adjust the name of the project because we created it already and so for a new project we need a new unique name and when we send the request to import this repository after a short moment we receive an HTTP GET request to the URL that we have specified awesome ss RF to localhost confirmed now we want to target Redis with this Redis is an open source in memory data structure store used as a database cache and message broker and it works basically with key and value pairs and the protocol it uses to communicate is absolutely simple it's a line based command protocol with PS we can find the Redis server command and the port 6-3 79 and then we can use netiquette to connect to it and as you can see we can enter any invalid commands and read as well simply in form us from it being wrong even when you enter a valid but incomplete commands it just responds with an arrow let's try a ballad c'mon let's set the key life overflow to test that went okay and said more garbage and now we get the value of life overflow and here this test as you know netcat simply opens a TCP socket and we are sending here simple ASCII payloads to Redis HTTP is also a simple ASCII text based protocol and some really smart people realized well then what would happen if you simply send an HTTP GET request to Redis each line of the HTTP GET request would then be a Redis command know to test this we can simply copy the get request from the SS RF and paste it into a netcat session with Redis and we see an error wrong number of arguments forget command which makes sense because get is a Redis command but then we also somehow drop back to the shell let's connect again and do it line by line get and we see the error and next the host HTTP header host : boom connection dropped because SS RF to Redis is such a huge issue redness has actually introduced a fix where they basically try to detect them arriving HTTP requests this callback is bound to post and host : command names those are not really commands but are used in security attacks in order to talk to Redis instances via HTTP with a technique called cross protocol scripting which exploits the fact that services like Redis will discard invalid HTTP headers enroll process what follows as a protection against this attack Redis will terminate the connection when a post or host : header is seen and will log the event from time to time so you should maybe check your Redis logs for this warning if you see it you have some big issues so that's why this connection is dropped here at the host : but this is a get request and get is actually a valid Redis command so if we can somehow get Redis commands in front of host then we could still execute some and this is where newline injection could help us commands have to be at the start of the line so the idea would be to simply use new lines in the get path and if that works we could inject commands before the host header but when I tried that with a few lines to test it I noticed that no request arrives I don't have the time to dig into the code why maybe this particular request was already protect against this I don't know then but I had another idea the supported protocols are HTTP HTTPS and git I actually have never looked into how the git protocol looks like and what it's sent when you try to get cloned this repository so I simply use netcat again and perform a git clone with a git URL to localhost and dead port and this is what we get netcat receives some weird data get upload pack and that URL path test protocol kit so we can control this part and maybe newline injection works here let's try it I go to burp again change the protocol from HTTP to get and check if netcat will receive it one more in place there we go we receive it and the new lines are there awesome now we just have to figure out what we can send to red is to get code execution luckily like I said git lab had this issue multiple times before so we can find an awesome write up by Joe board where he shared this technique of using the get lab cue for system hooks and registers a gitlab shell worker which eventually will execute this command here in this case Who am I and sends it via net ket away cool so I first quickly check if we can reach my outside laptop from within docker and so I look up my IP and set up a netcat listener and then from inside the darker container I try to connect there and yes that works so now I just have to copy those reddit commands I noticed that each command has to have some spaces in front because for whatever reason they get swallowed by something and I also added a few xx because otherwise the last command would be invalid because of how the SS RF sends it and of course the very important we replaced payload with cut slash flag and sent the output away to my laptop with net cut now we just have to execute it wait a moment and boom the flag arrives damn this was so simple after having heard from the guys at RPI SEC that 11.4 dot 7 was not the latest version and there were security issues reported by Triton about SS RF it was just a matter of maybe two or three hours I had to fight with some set of issues and stuff never goes smooth but it was all straightforward regardless if we had just looked at this during the CTF why did you write zero day when in fact it was a one day we were so scared because of that reason it makes me so mad dang it anyway glad I solved it after all [Music] you [Music]
Original Description
Video write-up about the Real World CTF challenge "flaglab" that involved exploiting a gitlab 1day. Actually two CVEs are combined to achieve full remote code execution:
CVE-2018-19571 (SSRF) + CVE-2018-19585 (CRLF) = RCE
flaglab - docker-compose: https://gist.github.com/LiveOverflow/8bf92dd86e5c481fb484af83c64e83b3#file-docker-compose-yml
Release: https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
#CTF #CVE
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Tool Use & Function Calling
View skill →Related Reads
📰
📰
📰
📰
Learn AI Training from Industry Experts at Visualpath
Dev.to · kalyan visualpath
AI Theatre: The Gap Between Talking About AI and Actually Using It
Medium · Cybersecurity
How to Structure Content for AI-First Indexing: 7 Rules That Get You Cited
Medium · AI
The Last Premium: What Stays Expensive When Thinking Gets Free
Medium · Data Science
🎓
Tutor Explanation
DeepCamp AI