module
Gitea Git Hooks Remote Code Execution
| Disclosed |
|---|
| Oct 7, 2020 |
Disclosed
Oct 7, 2020
Description
This module leverages an insecure setting to get remote code
execution on the target OS in the context of the user running Gitea.
This is possible when the current user is allowed to create `git
hooks`, which is the default for administrative users. For
non-administrative users, the permission needs to be specifically
granted by an administrator.
To achieve code execution, the module authenticates to the Gitea web
interface, creates a temporary repository, sets a `post-receive` git
hook with the payload and creates a dummy file in the repository.
This last action will trigger the git hook and execute the payload.
Everything is done through the web interface.
It has been mitigated in version 1.13.0 by setting the Gitea
`DISABLE_GIT_HOOKS` configuration setting to `true` by default. This
disables this feature and prevents all users (including admin) from
creating custom git hooks.
This module has been tested successfully against docker versions 1.12.5,
1.12.6 and 1.13.6 with `DISABLE_GIT_HOOKS` set to `false`, and on
version 1.12.6 on Windows.
execution on the target OS in the context of the user running Gitea.
This is possible when the current user is allowed to create `git
hooks`, which is the default for administrative users. For
non-administrative users, the permission needs to be specifically
granted by an administrator.
To achieve code execution, the module authenticates to the Gitea web
interface, creates a temporary repository, sets a `post-receive` git
hook with the payload and creates a dummy file in the repository.
This last action will trigger the git hook and execute the payload.
Everything is done through the web interface.
It has been mitigated in version 1.13.0 by setting the Gitea
`DISABLE_GIT_HOOKS` configuration setting to `true` by default. This
disables this feature and prevents all users (including admin) from
creating custom git hooks.
This module has been tested successfully against docker versions 1.12.5,
1.12.6 and 1.13.6 with `DISABLE_GIT_HOOKS` set to `false`, and on
version 1.12.6 on Windows.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.