Unauthorized Access to Container Registry of other groups / CVE-2019-12825

HackerOne report #615168 by atomic111 on 2019-06-14, assigned to gitlab_cmaxim:

Unauthorized Access to Container Registry of other groups

created two users

pentest1

username = pentest1
mail = pentest1@groupofdestruction.de
pw = Pentest1]

pentest2

username = pentest2
mail = pentest2@groupofdestruction.de
pw = Pentest2]

Login as pentest1

• Go to https://gitlab.com/dashboard/groups?nav_source=navbar
• Create a new group with user pentest1 https://gitlab.com/groups/new called grouppentest1 with private as default selection
• Create a new private project with name trial1 in group grouppentest1
• Go to https://gitlab.com/grouppentest1/trial1
• Create a new file .gitlab-ci.yml https://gitlab.com/grouppentest1/trial1/new/master with the content located in this repo

build:docker:  
  stage: build  
  image: docker:18  
  services:  
    - docker:dind  
  before_script:  
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY  
  script:  
    # fetches a image, this could also be built here  
    - docker pull centos:7  
    - docker pull centos:6  
    - docker pull oraclelinux:7  
    # instead of docker build, we are using docker tag here, but it does not really   
    # - >  
    #   DOCKER_BUILDKIT=1  
    #   docker build  
    #   --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA  
    #   --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME  
    #   -f Dockerfile  
    #   .  
    - docker tag docker.io/centos:7 $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA  
    - docker tag docker.io/centos:7 $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME  
    - docker tag docker.io/centos:6 $CI_REGISTRY_IMAGE:2.12.1  
    - docker tag docker.io/oraclelinux:7 $CI_REGISTRY_IMAGE:2.13.1

    # push image to gitlab registry  
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA  
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME  
    - docker push $CI_REGISTRY_IMAGE:2.12.1  
    - docker push $CI_REGISTRY_IMAGE:2.13.1  

• Wait until CI is done and go to https://gitlab.com/grouppentest1/trial1/container_registry

• you should see the published repos

• Go to group management https://gitlab.com/groups/grouppentest1/-/edit and change groupname to 'grouppentest2' and path to grouppentest2

• Project registry does not show any container https://gitlab.com/grouppentest1/trial1/container_registry

• Logout as pentest1

Login as pentest2

• Login with user pentest2
• Create a new group called grouppentest1

• Create a new project called trial1

• See docker images from previous user

Impact

• get access to docker registries of other groups without having the rights

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• complete_trail1_repo_withgitlab-ci_yml.png
• created_grouppentest1_group_with_user_pentest2.png
• create_project_trial1_as_pentest2.png
• gitlab_docker_registry_for_trial1.png
• gitlab_version.png
• registry_after_rename_to_grouppentest2.png
• rename_to_grouppentest2.png
• success_pipeline_trial1_repo.png
• see_docker_images_from_user_pentest1.png
• Advisory_CVE-2019-12825.txt