Read any repo file (incl. private ones) via postMessage on both gitlab.com/self-hosted instance (bypass #1417680)
HackerOne report #1699831 by niraeth
on 2022-09-14, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
An attacker can use a specially crafted webpage to read the content of a victim's repo via postMessage
when the victim uses the Live Preview
feature.
The attack vector and impact is the same as report #1417680 or CVE-2022-2907 . Although it was fixed in the previous report, I have found a workaround/bypass for it.
Steps to reproduce
The reproduction below will be done on gitlab.com
, but it works (and I have tested) for self-hosted instances as well. For self-hosted instances, you will need to manually enable the Live Preview
feature for the exploit to work. You can follow the guide here to enable the feature.
Reproduce for gitlab.com
:
- Login to https://gitlab.com using the credentials: email
niraeth+100@wearehackerone.com
and password89J6\U^_tV?/yY7X
- Go to the poc page at https://exploits.niraeth.com/sites/gitlab/postMessage%20readFile%202/readFile%203499E693D443B4E6ED4CE8D0F815F991.html
- Follow instructions on the poc page.
Reproduce for your own instance:
- Download the HTML file :
- Modify the URL shown below
- Follow the instructions above (
Reproduce for gitlab.com
)
Vulnerable Code / Bypass Details
First, take a look at the fix implemented from the previous report. You can see below that it checks for the message's source
, to check that it comes from this.frameWindow
. this.frameWindow
is an iframe
that points to https://sandbox-prod.gitlab-static.net/
. $id
is now also checked against this.channelId
(a random int from 100000-999999
)
However, because there is a XSS vulnerability at https://sandbox-prod.gitlab-static.net/
, an attacker can use this XSS to call postMessage
and bypass the source
check. The said XSS can be triggered via postMessage
due to vulnerable code shown below
Impact
- Read files of private repo - steal source code etc
- Read sensitive files such as .gitlab-ci.yml which is almost guaranteed to contain things like api keys, ssh keys that are necessary for the pipeline to work. This would then enable an attacker to further their attack, e.g gaining remote access to a server.
Examples
The repo used for this PoC is available at https://gitlab.com/nicgene/vue-todo . However, any other project/repo that is properly configured for the Live Preview
feature would work too.
Note that the above repo is not controlled by me.
What is the current bug behavior?
Attacker is able to read repo files
What is the expected correct behavior?
The attacker should not be able to communicate with the message
event listener.
Relevant logs and/or screenshots
Nil. Refer to the section Vulnerable Code / Bypass Details for screenshots of the affected code
Output of checks
This bug happens on GitLab.com
and Self Hosted GitLab
Results of GitLab environment info
System information
System: Ubuntu 20.04
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.0
Go Version: unknown
GitLab information
Version: 15.3.3
Revision: c629a47f87f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: http://ec2-13-228-76-134.ap-southeast-1.compute.amazonaws.com
HTTP Clone URL: http://ec2-13-228-76-134.ap-southeast-1.compute.amazonaws.com/some-group/some-project.git
SSH Clone URL: git@ec2-13-228-76-134.ap-southeast-1.compute.amazonaws.com:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.10.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Impact
Mentioned in the report.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- fix_from_prev_report.JPG
- cframe_-_2-_eval.JPG
- cframe_-1-_message_listener.JPG
- URL_to_be_modified.JPG
- readFile_3499E693D443B4E6ED4CE8D0F815F991.html
How To Reproduce
Please add reproducibility information to this section: