MAJOR EXPLOIT: GitLab was Hacked with an IMAGE??

Daniel Boctor ยท Beginner ยท๐Ÿ” Cybersecurity ยท2y ago

About this lesson

Try SquareX for free today! ๐Ÿ‘‰ https://sqrx.io/db_yt In this video, we take a deep dive into the GitLab / ExifTool metadata parsing vulnerability, which enables attackers to gain access to GitLab servers via an RCE (remote code execution). Whether you're a pen tester, security researcher, or cyber security expert, having a solid foundation in escape sequences, code evaluation, and character parsing is critical. JOIN THE DISCORD! ๐Ÿ‘‰ https://discord.gg/WYqqp7DXbm 0:00 - Overview 0:26- Metadata 1:59 - DjVu 2:34 - C Escape Sequences 4:18 - Structure 11:14 - Exploit 13:45 - SquareX Hackerone report https://hackerone.com/reports/1154542 William Bowlingโ€™s report https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html Vulnerable code https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm Patch https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031 SquareX socials: Twitter: https://twitter.com/getsquarex LinkedIn: https://www.linkedin.com/company/getsquarex/ Instagram: https://www.instagram.com/getsquarex/ Facebook: https://www.facebook.com/getsquarex Blog: https://labs.sqrx.com/ MUSIC CREDITS: LEMMiNO - Cipher https://www.youtube.com/watch?v=b0q5PR1xpA0 CC BY-SA 4.0 LEMMiNO - Firecracker https://www.youtube.com/watch?v=ulfoU2MziOc CC BY-SA 4.0 LEMMiNO - Nocturnal https://www.youtube.com/watch?v=epmoV2HRs9U CC BY-SA 4.0 LEMMiNO - Siberian https://www.youtube.com/watch?v=5py6E6yo7wk CC BY-SA 4.0 LEMMiNO - Encounters https://www.youtube.com/watch?v=xdwWCl_5x2s CC BY-SA 4.0 #programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #bugbounties #ethicalhacking #JPEG #encoding #lowlevelsecurity #zeroday #zero-day #cybersecurityexplained #bugbounty #memorymanagement #gitlab #security #cybersecurity #g

Original Description

Try SquareX for free today! ๐Ÿ‘‰ https://sqrx.io/db_yt In this video, we take a deep dive into the GitLab / ExifTool metadata parsing vulnerability, which enables attackers to gain access to GitLab servers via an RCE (remote code execution). Whether you're a pen tester, security researcher, or cyber security expert, having a solid foundation in escape sequences, code evaluation, and character parsing is critical. JOIN THE DISCORD! ๐Ÿ‘‰ https://discord.gg/WYqqp7DXbm 0:00 - Overview 0:26- Metadata 1:59 - DjVu 2:34 - C Escape Sequences 4:18 - Structure 11:14 - Exploit 13:45 - SquareX Hackerone report https://hackerone.com/reports/1154542 William Bowlingโ€™s report https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html Vulnerable code https://github.com/exiftool/exiftool/blob/11.70/lib/Image/ExifTool/DjVu.pm Patch https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031 SquareX socials: Twitter: https://twitter.com/getsquarex LinkedIn: https://www.linkedin.com/company/getsquarex/ Instagram: https://www.instagram.com/getsquarex/ Facebook: https://www.facebook.com/getsquarex Blog: https://labs.sqrx.com/ MUSIC CREDITS: LEMMiNO - Cipher https://www.youtube.com/watch?v=b0q5PR1xpA0 CC BY-SA 4.0 LEMMiNO - Firecracker https://www.youtube.com/watch?v=ulfoU2MziOc CC BY-SA 4.0 LEMMiNO - Nocturnal https://www.youtube.com/watch?v=epmoV2HRs9U CC BY-SA 4.0 LEMMiNO - Siberian https://www.youtube.com/watch?v=5py6E6yo7wk CC BY-SA 4.0 LEMMiNO - Encounters https://www.youtube.com/watch?v=xdwWCl_5x2s CC BY-SA 4.0 #programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #bugbounties #ethicalhacking #JPEG #encoding #lowlevelsecurity #zeroday #zero-day #cybersecurityexplained #bugbounty #memorymanagement #gitlab #security #cybersecurity #g
Watch on YouTube โ†— (saves to browser)
Sign in to unlock AI tutor explanation ยท โšก30

Related Reads

๐Ÿ“ฐ
IDOR simple way with no burpsuite banged P3
Learn a simple way to identify IDOR vulnerabilities without using Burpsuite, and understand the impact and reporting of such vulnerabilities
Medium ยท Cybersecurity
๐Ÿ“ฐ
OneLake Security Just Hit GA.
OneLake Security hits general availability, enhancing Microsoft's security capabilities
Medium ยท Data Science
๐Ÿ“ฐ
How Cyber Security Consultants in Perth Help Businesses Strengthen IT Protection
Learn how cyber security consultants in Perth can help businesses strengthen IT protection and prevent cyber threats
Medium ยท Cybersecurity
๐Ÿ“ฐ
How to PASS CISSP exam in one-go for REAL
Learn how to pass the CISSP exam in one attempt with tips from a personal experience, focusing on careful question reading and technique application.
Medium ยท Cybersecurity

Chapters (6)

Overview
1:59 DjVu
2:34 C Escape Sequences
4:18 Structure
11:14 Exploit
13:45 SquareX
Up next
Best VPN For China 2026 โ€” Which One Actually Works?
Tutorial Stack
Watch โ†’