Unauthorized Access to Container Registry of other groups / CVE-2019-12825
HackerOne report #615168 by atomic111
on 2019-06-14, assigned to gitlab_cmaxim
:
Unauthorized Access to Container Registry of other groups
created two users
pentest1
username = pentest1
mail = pentest1@groupofdestruction.de
pw = Pentest1]
pentest2
username = pentest2
mail = pentest2@groupofdestruction.de
pw = Pentest2]
Login as pentest1
- Go to https://gitlab.com/dashboard/groups?nav_source=navbar
- Create a new group with user pentest1 https://gitlab.com/groups/new called
grouppentest1
with private as default selection - Create a new private project with name
trial1
in groupgrouppentest1
- Go to https://gitlab.com/grouppentest1/trial1
- Create a new file
.gitlab-ci.yml
https://gitlab.com/grouppentest1/trial1/new/master with the content located in this repo
build:docker:
stage: build
image: docker:18
services:
- docker:dind
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
# fetches a image, this could also be built here
- docker pull centos:7
- docker pull centos:6
- docker pull oraclelinux:7
# instead of docker build, we are using docker tag here, but it does not really
# - >
# DOCKER_BUILDKIT=1
# docker build
# --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
# --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
# -f Dockerfile
# .
- docker tag docker.io/centos:7 $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
- docker tag docker.io/centos:7 $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
- docker tag docker.io/centos:6 $CI_REGISTRY_IMAGE:2.12.1
- docker tag docker.io/oraclelinux:7 $CI_REGISTRY_IMAGE:2.13.1
# push image to gitlab registry
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
- docker push $CI_REGISTRY_IMAGE:2.12.1
- docker push $CI_REGISTRY_IMAGE:2.13.1
- Wait until CI is done and go to https://gitlab.com/grouppentest1/trial1/container_registry
- you should see the published repos
- Go to group management https://gitlab.com/groups/grouppentest1/-/edit and change groupname to 'grouppentest2' and path to
grouppentest2
- Project registry does not show any container https://gitlab.com/grouppentest1/trial1/container_registry
- Logout as pentest1
Login as pentest2
- Login with user pentest2
- Create a new group called
grouppentest1
- Create a new project called
trial1
- See docker images from previous user
Impact
- get access to docker registries of other groups without having the rights
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- complete_trail1_repo_withgitlab-ci_yml.png
- created_grouppentest1_group_with_user_pentest2.png
- create_project_trial1_as_pentest2.png
- gitlab_docker_registry_for_trial1.png
- gitlab_version.png
- registry_after_rename_to_grouppentest2.png
- rename_to_grouppentest2.png
- success_pipeline_trial1_repo.png
- see_docker_images_from_user_pentest1.png
- Advisory_CVE-2019-12825.txt
Edited by GitLab SecurityBot