Skip to content

Blind SSRF on "Detect host keys" function of Mirroring repositories feature

HackerOne report #1486659 by jimeno on 2022-02-20, assigned to @ankelly:

Report | Attachments | How To Reproduce

Report

Summary

Repositories mirroring feature has SSRF protection. However, the Host keys identification sub-feature of it, which is only available when trying to mirror a repo over SSH, doesn't have this protection leading to a blind SSRF vulnerability which allows an attacker to force the backend to send a TCP packet to the internal network bypassing the Outbound network traffic feature.

You can see below how this protection is enabled by default on my Gitlab EE docker installation.

[REDACTED]

Here you can see how normal repository mirroring has SSRF protection enabled and throws an error when a URL pointing to 127.0.0.1 is provided to it.

[REDACTED]

Steps to reproduce

Setup: In order to run an internal service and verify the connection is being made, install ncat on your GitLab instance (this is just needed to make reproduction easier. It won't be needed in a real-world attack).

(host) $ docker container exec -it gitlab bash  
(container) # apt update && apt install -y ncat  
...

Now, run a listener on it:

(container) # echo "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4" | ncat -lvp 3333

Attack:

  1. Sign in as a non instance admin user to your GitLab instance.
  2. Create a blank project
  3. Browse to project's settings -> Repository
  4. On mirror repositories feature, select Push method.
  5. On the URL, provide it with a valid-format SSH Git repo URL. The key part is the domain must point to 127.0.0.1. In my case, local.rigel.wiki has an A record pointing to it. My payload: [REDACTED]
  6. Notice a new button appears on the UI: Detect host keys
  7. Click it
  8. On the ncat listener, notice a connection was established effectively bypassing the Outbound network traffic block against internal network enabled by default in GitLab EE.

[REDACTED]

root@rigel:/# echo "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4" | ncat -lvp 3333  
Ncat: Version 7.80 ( https://nmap.org/ncat )  
Ncat: Listening on :::3333  
Ncat: Listening on 0.0.0.0:3333  
Ncat: Connection from 127.0.0.1.  
Ncat: Connection from 127.0.0.1:36532.  
SSH-2.0-OpenSSH-keyscan

,Acurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256!rsa-sha2-512,rsa-sha2-256,ssh-rsalchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comumac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1none,zlib@openssh.comnone,zlib@openssh.com

NOTE: please, note since Rails caches the scanned keys, if you attempt to reproduce this more than once you'll need to first clean rails cache or use a different domain name. You can clean the cache by running gitlab-rake cache:clear.

Impact

Blind SSRF leading to attacker being able to force GitLab to send TCP packets to forbidden networks.

Examples

N/A. See reproduction steps.

What is the current bug behavior?

"Detect host keys" function of Mirroring repositories feature bypasses the internal network traffic protection.

What is the expected correct behavior?

"Detect host keys" function of Mirroring repositories feature should forbid keys detection for internal network services.

Relevant logs and/or screenshots

N/A. See reproduction steps and summary.

Output of checks
Results of GitLab environment info
root@rigel:/# gitlab-rake gitlab:env:info

System information  
System:		  
Proxy:		no  
Current User:	git  
Using RVM:	no  
Ruby Version:	2.7.5p203  
Gem Version:	3.1.4  
Bundler Version:2.1.4  
Rake Version:	13.0.6  
Redis Version:	6.0.16  
Git Version:	2.33.1.  
Sidekiq Version:6.3.1  
Go Version:	unknown

GitLab information  
Version:	14.7.3-ee  
Revision:	dfd1d9f3e51  
Directory:	/opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:	PostgreSQL  
DB Version:	12.7  
URL:		https://rigel.wiki  
HTTP Clone URL:	https://rigel.wiki/some-group/some-project.git  
SSH Clone URL:	git@rigel.wiki:some-group/some-project.git  
Elasticsearch:	no  
Geo:		no  
Using LDAP:	no  
Using Omniauth:	yes  
Omniauth Providers: auth0

GitLab Shell  
Version:	13.22.2  
Repository storage paths:  
- default: 	/var/opt/gitlab/git-data/repositories  
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
Git:		/opt/gitlab/embedded/bin/git

Impact

Blind SSRF leading to attacker being able to force GitLab to send TCP packets to forbidden networks.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

[REDACTED]

How To Reproduce

Please add reproducibility information to this section:

Edited by Costel Maxim