Skip to content

Denial of Service Attack on gitlab-shell

HackerOne report #953444 by yvvdwf on 2020-08-07, assigned to @ngeorge1:

Report | How To Reproduce

Report

Hi,

I found that gitlab-shell allows to generate 2F keys by executing 2fa_recovery_codes command.
Before generating the key, it reads directly confirmation from user twofactorrecover.go#L36

       ....  
	var answer string  
	fmt.Fscanln(c.ReadWriter.In, &answer)

	return answer == "yes"  
       ....  

The user's response will be loaded into answer variable. Attackers may provide a huge data to make gitlab-shell busy.

Steps to reproduce
  1. Open terminal to execute the following command (please replace gl.local by your gitlab url): cat /dev/random | base64 | ssh git@gl.local '2fa_recovery_codes'
  2. While the command is being executed, you should see that gitlab-shell use 100% cpu (of one core?) and its memory increases time by time.
Impact

Attacker may cause denial of service for gitlab-shell

What is the current bug behavior?

As presentation above, gitlab-shell reads directly user's response from client's stream. It loads data from the client's stream into answer variable until the end of the stream.

What is the expected correct behavior?

Gitlab-shell should limit the size of user's response

Output of checks
Results of GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)

System information  
System:		Ubuntu 18.04  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.6.6p146  
Gem Version:	2.7.10  
Bundler Version:1.17.3  
Rake Version:	12.3.3  
Redis Version:	5.0.9  
Git Version:	2.27.0  
Sidekiq Version:5.2.9  
Go Version:	unknown

GitLab information  
Version:	13.2.3-ee  
Revision:	640e2695514  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	11.7  
URL:		http://gl.local  
HTTP Clone URL:	http://gl.local/some-group/some-project.git  
SSH Clone URL:	git@gl.local:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: 

GitLab Shell  
Version:	13.3.0  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git  

Impact

Attacker may cause denial of service for gitlab-shell, thus gitlab server

How To Reproduce

Please add reproducibility information to this section: