Urgent: ability to access all user authentication tokens, leads to RCE
- Title: Urgent: ability to access all user authentication tokens, leads to RCE
- Types: Information Disclosure, Privilege Escalation
- Link: https://hackerone.com/reports/158330
- Date: 2016-08-10 20:21:05 -0500
- By: jobert
Details:
Vulnerability details
The project export feature serializes the user objects of team members and stores it in the project.json
file. This object contains the authentication_token
for every user, meaning that an attacker can simply go ahead and create a project on GitLab.com, add one of the admins of GitLab.com, create an export, and obtain the authentication token for that user.
Proof of concept
Follow these steps to reproduce the issue:
- create a test account on a GitLab instance and create a temporary repository
- invite an admin of the GitLab instance as a team member to the repository
- go to the repository settings and create an export
- wait a few minutes until you received the export email
- now go to http://gitlab-instance/account/repo/download_export
- unzip the downloaded file and examine
projects.json
- theproject_members
will contain the user object that contains theauthentication_token
Here's the first few bytes of rspeicher
(sorry Robert) his authentication token on GitLab.com: [redacted]. Someone could get access to GitLab's admin panel by extracting the token of an admin and go to https://gitlab.com/admin/users?authentication_token=. From what I've seen on my own GitLab instance, this leads to RCE and gives me access to all code in private repositories. Let me know if you need more information!