Spoofing commit author for signed commits
HackerOne report #1077019 by subbotin
on 2021-01-12, assigned to @rchan-gitlab:
Report | Attachments | How To Reproduce
Report
Summary
Label "Verified" for signed commits not checks email for x509 signs.
Steps to reproduce
Instruction for linux, but it can be useful for reproducing on over OS.
- Create valid x509 certificate for some email (I use https://www.actalis.it/en/certificates-for-secure-electronic-mail.aspx because it's only one service which makes free mime certs).
- Import cert to storage
gpgsm --import PKCS12_Credential_new@fake.email.pfx
- Create .gitconfig like
[user]
email = new@fake.email
name = target_account_on_gitlab_name
signingkey = 0xBFD04A72 # (you key id from previous step. can be find by `gpgsm -k`)
[commit]
gpgsign = true
[gpg]
program = gpgsm
- make new commit and push it to gitlab.
- go to page https://gitlab.com/group_name/project_name/-/commits/master and looks on bages
- for better picture you can change avatar via gravatar.com
Impact
Someone with compromised ssh key but not compromised GPG key or x509 cert.
Examples
https://gitlab.com/mr_tron/test/-/commits/master
You can see on this page two commits:
Both made by me, both has label "Verified". They looks identically (only one difference - link under commit name. one follows on my gitlab account, and second is just "mailto:my@email"). Both commits signed by x509 MIME certificate. Initial commit I signed with my certificate issued to my email denis@subbot.in which I use for registration on gitlab.org, but second commit is signed by certificate issued to random temporary email (not really random - that's my old email, but i never mentioned it on gitlab.org).
Github.com for example in this situation adds label "Unverified". Look on two last commits on this page - https://github.com/mr-tron/test-sign-x509/commits/master
What is the current bug behavior?
Gitlab display commits signed by x509 certificate for any email like Verified
Also it displays login for gitlab users detected based on login in same manner as "user.name" from commit info.
What is the expected correct behavior?
It should should display label "Signed" or "Unverified" and not green color.
Relevant logs and/or screenshots
In attachments.
Output of checks
This bug happens me on gitlab.org
Impact
Attacker can impersonate someone else in gitlab web interface.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: