Denial of Service Attack on gitlab-shell
HackerOne report #953444 by yvvdwf
on 2020-08-07, assigned to @ngeorge1:
Report
Hi,
I found that gitlab-shell allows to generate 2F keys by executing 2fa_recovery_codes
command.
Before generating the key, it reads directly confirmation from user twofactorrecover.go#L36
....
var answer string
fmt.Fscanln(c.ReadWriter.In, &answer)
return answer == "yes"
....
The user's response will be loaded into answer
variable. Attackers may provide a huge data to make gitlab-shell busy.
Steps to reproduce
- Open terminal to execute the following command (please replace
gl.local
by your gitlab url):cat /dev/random | base64 | ssh git@gl.local '2fa_recovery_codes'
- While the command is being executed, you should see that gitlab-shell use 100% cpu (of one core?) and its memory increases time by time.
Impact
Attacker may cause denial of service for gitlab-shell
What is the current bug behavior?
As presentation above, gitlab-shell reads directly user's response from client's stream. It loads data from the client's stream into answer
variable until the end of the stream.
What is the expected correct behavior?
Gitlab-shell should limit the size of user's response
Output of checks
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
System information
System: Ubuntu 18.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.6p146
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.9
Git Version: 2.27.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.2.3-ee
Revision: 640e2695514
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.7
URL: http://gl.local
HTTP Clone URL: http://gl.local/some-group/some-project.git
SSH Clone URL: git@gl.local:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.3.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Attacker may cause denial of service for gitlab-shell, thus gitlab server
How To Reproduce
Please add reproducibility information to this section: