Gitea Git Hooks Remote Code Execution
Description
This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea. This is possible when the current user is allowed to create `git hooks`, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator. To achieve code execution, the module authenticates to the Gitea web interface, creates a temporary repository, sets a `post-receive` git hook with the payload and creates a dummy file in the repository. This last action will trigger the git hook and execute the payload. Everything is done through the web interface. It has been mitigated in version 1.13.0 by setting the Gitea `DISABLE_GIT_HOOKS` configuration setting to `true` by default. This disables this feature and prevents all users (including admin) from creating custom git hooks. This module has been tested successfully against docker versions 1.12.5, 1.12.6 and 1.13.6 with `DISABLE_GIT_HOOKS` set to `false`, and on version 1.12.6 on Windows.
Author(s)
- Podalirius
- Christophe De La Fuente
Platform
Linux,Unix,Windows
Architectures
cmd, x86, x64
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/gitea_git_hooks_rce
msf exploit(gitea_git_hooks_rce) > show targets
...targets...
msf exploit(gitea_git_hooks_rce) > set TARGET < target-id >
msf exploit(gitea_git_hooks_rce) > show options
...show and set options...
msf exploit(gitea_git_hooks_rce) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security