Lack of data validation - Path Traversal In gogs.io/gogs
Description
Gogs has Path Traversal in organization name that results in RCE through Git hooks
Summary
Organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem.
By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE).
Details
During organization creation, internal/database/org.go calls os.MkdirAll(repox.UserPath(org.Name)) without sanitizing org.Name.
Repository creation uses this name to decide where to write the Git bare repository's (org/name.git). By setting the org name to ../../../../tmp/test, and creating a repository under that organization, it gets written under /tmp/test on the server.
An attacker can abuse this in a clever way by writing to the /data/gogs/data/tmp/local-r/1 directory, being a local worktree of the git repositories inside of Gogs. These directories are editable by Git. By creating a repository nested inside of there, files like config and hooks/update are now referenced through the path traversal, and are editable by Git. This allows the attacker to edit the hooks/update script with malicious Bash commands and then to trigger the hook.
The steps to exploit this inside of Gogs are roughly (ignoring some syncing dummy actions):
Create regular outer repository and get its ID
Create organization named ../../../../data/gogs/data/tmp/local-r/{ID}/nested
Create a repository inside this organization (eg. rce), which will be written into the local clone of the outer repository
From the outer repository, edit nested/rce.git/hooks/update to contain malicious shell commands
Interact with the rce repository again to trigger the updated hook, and RCE is achieved
PoC
Set up a default Gogs instance by saving the following content to docker-compose.yml and running docker compose up:
services: db: image: postgres:16-alpine environment: POSTGRES_USER: gogs POSTGRES_PASSWORD: gogs POSTGRES_DB: gogs volumes:...
Visit http://localhost:3000, set the Host to db:5432 and Password to gogs. Under Admin Account Settings configure your admin account
As the attacker, register an account with username attacker and password attacker at http://localhost:3000/user/sign_up
As the attacker, run the following script (in gist to avoid cluttering this advisory):
https://gist.github.com/JorianWoltjer/4b72063338b27140f4439c524d98f2b9
The output should look like:
$ python3 gogs-rce.py step 1 token ok step 2 create personal repo 201 full_name attacker/writer-bd426045 step 3 web editor new file on attacker / writer-bd426045 step 4 GET writer repo -> local-r 1 step 5 create org 201 local-r 1 username ../../../../data/gogs/data/tmp/local-r/1/nested step 6 get org 200 username ../../../../data/gogs/data/tmp/local-r/1/nested step 7 create repo 201 full_name ../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 html_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7 clone_url http://localhost:3000/../../../../data/gogs/data/tmp/local-r/1/nested/rce-b175aca7.git...
Impact
In the default setting, users can self-register and then create their own organizations. From here they can perform this exploit to achieve RCE as the git user.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.14.3 |
Aliases
References