module
Gogs Git Hooks Remote Code Execution
| Disclosed | Created |
|---|---|
| 10/07/2020 | 04/08/2021 |
Disclosed
10/07/2020
Created
04/08/2021
Description
This module leverages an insecure setting to get remote code
execution on the target OS in the context of the user running Gogs.
This is possible when the current user is allowed to create `git
hooks`, which is the default for administrative users. For
non-administrative users, the permission needs to be specifically
granted by an administrator.
To achieve code execution, the module authenticates to the Gogs web
interface, creates a temporary repository, sets a `post-receive` git
hook with the payload and creates a dummy file in the repository.
This last action will trigger the git hook and execute the payload.
Everything is done through the web interface.
No mitigation has been implemented so far (latest stable version is
0.12.3).
This module has been tested successfully against version 0.12.3 on
docker. Windows version could not be tested since the git hook feature
seems to be broken.
execution on the target OS in the context of the user running Gogs.
This is possible when the current user is allowed to create `git
hooks`, which is the default for administrative users. For
non-administrative users, the permission needs to be specifically
granted by an administrator.
To achieve code execution, the module authenticates to the Gogs web
interface, creates a temporary repository, sets a `post-receive` git
hook with the payload and creates a dummy file in the repository.
This last action will trigger the git hook and execute the payload.
Everything is done through the web interface.
No mitigation has been implemented so far (latest stable version is
0.12.3).
This module has been tested successfully against version 0.12.3 on
docker. Windows version could not be tested since the git hook feature
seems to be broken.
Authors
PodaliriusChristophe De La Fuente
Platform
Linux,Unix,Windows
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/multi/http/gogs_git_hooks_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.