Misleading username could lead to impersonation in using SSH Certificates
HackerOne report #1087806 by ledz1996
on 2021-01-26, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
There exists in vulnerability in checking the value of argument passing to gitlab-shell
internal/command/commandargs/shell.go
var (
whoKeyRegex = regexp.MustCompile(`\bkey-(?P<keyid>\d+)\b`)
whoUsernameRegex = regexp.MustCompile(`\busername-(?P<username>\S+)\b`)
)
These regex does not check whether it is start with either key-
or username-
Later on
for _, argument := range s.Arguments {
if keyId := tryParseKeyId(argument); keyId != "" {
s.GitlabKeyId = keyId
break
}
if username := tryParseUsername(argument); username != "" {
s.GitlabUsername = username
break
}
}
As you can see whoKeyRegex
and whoUsernameRegex
are used to parse username
or id of SSH-key
. However, because gitlab-shell
check for KeyID
first, for example:
The username with name as key-2
will be passed as username-key-2
. this would lead to
-
gitlab-shell
parses the thing astryParseKeyId
and in turns.GitlabKeyId
will be2
- This will lead to
gitlab-shell
identify the userkey-2
as the one with the key id number 2
I tried to find a place where gitlab username would be used to gitlab-shell
, found SSH Certificate usage. Even though it's not something convicing as it requires the CA server to generate a Certificate with an username of something like key-2
, but I would report it anyway
Steps to reproduce
Pre-requisites:
- Set up SSH Certificate system as https://berndbausch.medium.com/ssh-certificates-a45bdcdfac39 or https://www.jadaptive.com/openssh-certificate-cheat-sheet/
- Set up SSH Certificate system in gitlab as https://docs.gitlab.com/ee/administration/operations/ssh_certificates.html
- Have an user with SSH key setup
Steps:
- Create an SSH Certificate for an user named
key-2
, it is possible to create an user with this username in gitlab - This will allow the user receiving the certificate to impersonate user with key id 2
- Do what ever the user mentioned previously could do with SSH access
Video:
Impact
Impersonation, misleading regex.
Results of GitLab environment info
System information
System: Ubuntu 16.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.1
Redis Version: 5.0.9
Git Version: 2.29.0
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.7.4-ee
Revision: 368b4fb2eee
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 11.9
URL: http://gitlab3.example.vm
HTTP Clone URL: http://gitlab3.example.vm/some-group/some-project.git
SSH Clone URL: git@gitlab3.example.vm:some-group/some-project.git
Elasticsearch: no
Geo: yes
Geo node: Primary
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 13.14.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Impersonation, misleading regex.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- [REDACTED]
How To Reproduce
Please add reproducibility information to this section: