nuclei-templates/cves/2021/CVE-2021-22205.yaml

128 lines
8.7 KiB
YAML

id: CVE-2021-22205
info:
name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
author: GitLab Red Team
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
reference:
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://hackerone.com/reports/1154542
- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.90
cve-id: CVE-2021-22205
cwe-id: CWE-20
tags: cve,cve2021,gitlab,rce
requests:
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
redirects: true
max-redirects: 3
matchers:
- type: word
words:
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753"
- "1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f"
- "14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4"
- "1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4"
- "20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369"
- "2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2"
- "33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1"
- "335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac"
- "34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86"
- "3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087"
- "340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86"
- "38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d"
- "3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd"
- "39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514"
- "39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09"
- "3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e"
- "3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb"
- "40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b"
- "45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44"
- "473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf"
- "5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2"
- "69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b"
- "7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5"
- "73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d"
- "77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f"
- "78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1"
- "93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b"
- "9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445"
- "bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c"
- "d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f"
- "dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56"
- "def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0"
- "eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd"
- "ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition: or
extractors:
- type: regex
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'