Malicious Runner Attachment via GraphQL
HackerOne report #1969599 by yvvdwf
on 2023-05-02, assigned to @rshambhuni:
Report
Hi,
This GraphQL endpoint allows to associate a runner to a project without checking whether the current user has permission on the project. It leads to the ability to assign a (malicious) runner to any project. Consequently this is a possible attack vector to "steal" runner jobs.
Step to reproduce
-
Prepare: as victim, to create a private project. Note the project ID, e.g.,
111111111
. -
As attacker:
1.1 In an existing project, or create a new one, go to
Settings
/CI/CD
/Runners
. Follow the steps inProject runners
to setup a runner for this project.1.2. After registering the runner, edit it by unchecking
Lock to current projects
, then clickSave changes
1.3. Note the ID of the runner, e.g.,
999999999
1.4. Open https://gitlab.com/-/graphql-explorer, and run the following query after replacing IDs of your runner and victim project:
mutation {
runnerUpdate(input:{id: "gid://gitlab/Ci::Runner/999999999",
associatedProjects: ["gid://gitlab/Project/111111111"]
}){
runner {
ownerProject {fullPath}
}
errors
}
}
-
As the victim, open the private project and goto
Settings
/CI/CD
/Runners
. You should see that the runner is now in the list ofAssigned project runners
2.1 Add
.gitlab-ci.yml
file to the project, if it does not exist, using the following content:
build-job:
script:
- echo "This script will be runned in a malicious runner"
2.2 When going to CI/CD
/Jobs
, you should see that the job is executed by the runner above
Impact
The impact should be similar with CVE-2022-0735 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
, 9.6).. That is, an unauthorized user is able to steal runner jobs which are used to uncover private information, such as, project code, CI/CD job tokens
How To Reproduce
Please add reproducibility information to this section: