Description
This module exploits an account-take-over vulnerability that allows users to take control of a gitlab account without user interaction.
The vulnerability lies in the password reset functionality. Its possible to provide 2 emails and the reset code will be sent to both. It is therefore possible to provide the e-mail address of the target account as well as that of one we control, and to reset the password.
2-factor authentication prevents this vulnerability from being exploitable. There is no discernable difference between a vulnerable and non-vulnerable server response.
Vulnerable versions include: 16.1 < 16.1.6, 16.2 < 16.2.9, 16.3 < 16.3.7, 16.4 < 16.4.5, 16.5 < 16.5.6, 16.6 < 16.6.4, and 16.7 < 16.7.2.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/http/gitlab_password_reset_account_takeovermsf undefined(gitlab_password_reset_account_takeover) > show actions ...actions...msf undefined(gitlab_password_reset_account_takeover) > set ACTION < action-name >msf undefined(gitlab_password_reset_account_takeover) > show options ...show and set options...msf undefined(gitlab_password_reset_account_takeover) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub