Blind SSRF on "Detect host keys" function of Mirroring repositories feature
HackerOne report #1486659 by jimeno
on 2022-02-20, assigned to @ankelly
:
Report | Attachments | How To Reproduce
Report
Summary
Repositories mirroring feature has SSRF protection. However, the Host keys identification sub-feature of it, which is only available when trying to mirror a repo over SSH, doesn't have this protection leading to a blind SSRF vulnerability which allows an attacker to force the backend to send a TCP packet to the internal network bypassing the Outbound network traffic feature.
You can see below how this protection is enabled by default on my Gitlab EE docker installation.
[REDACTED]
Here you can see how normal repository mirroring has SSRF protection enabled and throws an error when a URL pointing to 127.0.0.1
is provided to it.
[REDACTED]
Steps to reproduce
Setup: In order to run an internal service and verify the connection is being made, install ncat on your GitLab instance (this is just needed to make reproduction easier. It won't be needed in a real-world attack).
(host) $ docker container exec -it gitlab bash
(container) # apt update && apt install -y ncat
...
Now, run a listener on it:
(container) # echo "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4" | ncat -lvp 3333
Attack:
- Sign in as a non instance admin user to your GitLab instance.
- Create a blank project
- Browse to project's settings -> Repository
- On mirror repositories feature, select Push method.
- On the URL, provide it with a valid-format SSH Git repo URL. The key part is the domain must point to 127.0.0.1. In my case,
local.rigel.wiki
has an A record pointing to it. My payload: [REDACTED] - Notice a new button appears on the UI: Detect host keys
- Click it
- On the ncat listener, notice a connection was established effectively bypassing the Outbound network traffic block against internal network enabled by default in GitLab EE.
[REDACTED]
root@rigel:/# echo "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4" | ncat -lvp 3333
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::3333
Ncat: Listening on 0.0.0.0:3333
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:36532.
SSH-2.0-OpenSSH-keyscan
,Acurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256!rsa-sha2-512,rsa-sha2-256,ssh-rsalchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comlchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.comumac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1none,zlib@openssh.comnone,zlib@openssh.com
NOTE: please, note since Rails caches the scanned keys, if you attempt to reproduce this more than once you'll need to first clean rails cache or use a different domain name. You can clean the cache by running gitlab-rake cache:clear
.
Impact
Blind SSRF leading to attacker being able to force GitLab to send TCP packets to forbidden networks.
Examples
N/A. See reproduction steps.
What is the current bug behavior?
"Detect host keys" function of Mirroring repositories feature bypasses the internal network traffic protection.
What is the expected correct behavior?
"Detect host keys" function of Mirroring repositories feature should forbid keys detection for internal network services.
Relevant logs and/or screenshots
N/A. See reproduction steps and summary.
Output of checks
Results of GitLab environment info
root@rigel:/# gitlab-rake gitlab:env:info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.6
Redis Version: 6.0.16
Git Version: 2.33.1.
Sidekiq Version:6.3.1
Go Version: unknown
GitLab information
Version: 14.7.3-ee
Revision: dfd1d9f3e51
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.7
URL: https://rigel.wiki
HTTP Clone URL: https://rigel.wiki/some-group/some-project.git
SSH Clone URL: git@rigel.wiki:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: auth0
GitLab Shell
Version: 13.22.2
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Blind SSRF leading to attacker being able to force GitLab to send TCP packets to forbidden networks.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
[REDACTED]
How To Reproduce
Please add reproducibility information to this section: